-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make production binaries auditable for known vulnerabilities #14
Comments
I have a proof of concept implementation that embeds While I am waiting for permission to release the code, here's a sneak peek:
The intention is to demonstrate that embedding Cargo.lock in the binary is actually a really good idea and that Cargo should do that by default, so I wouldn't have to maintain a hacky implementation of the Cargo.lock embedding. The tool to extract that info is likely here to stay, though. |
I have published a proof of concept implementation: https://github.com/Shnatsel/rust-audit Discussion: https://www.reddit.com/r/rust/comments/awlqfi/ |
RFC for Cargo is open: rust-lang/rfcs#2801 It got a lot of constructive feedback, we need to incorporate it and submit it for another round. |
Implementation as a Cargo subcommand: https://github.com/rust-secure-code/cargo-auditable |
We need to make binaries deployed in production auditable for known security issues. This may include non-trivial deployment methods, such as:
cargo install
Ideally this should also extend to statically linked C libraries, if any.
Rustc and LLVM version are already embedded in the binary, so rustc and/or stdlib versions are already auditable in theory, but there is no tool to do that in practice. No other version information is currently embedded in binaries.
The text was updated successfully, but these errors were encountered: