[zapps-wg] Version of Rust

Devrandom c1.devrandom at niftybox.net
Fri Nov 17 12:08:02 EST 2017


I'm going to try to compile with older versions, will let you know how it
goes.  Ideally we could get to versions before zcash was announced.

This will be fun, have not done Rust before.  But here are some thoughts
about the Rust compiler after trying to compile it from source:

- the Rust compiler can only be built with itself, which means that you
have to start from a binary, so you might as well trust the binary
- if we start with a really old one, the chances of a targeted attack are
pretty slim
- a general trojan that detects access to /dev/random and reduces entropy
could still be lurking
- the mixing of entropy from the user should mitigate, unless the compiler
can be smart enough to detect even that

BTW, what does the timestamp on crates.io buy us? Looking at the repo, it
looks like they just commit version numbers, but not git hashes of the
source code.


On Thu, Nov 16, 2017 at 4:45 PM Peter Todd <pete at petertodd.org> wrote:

> On Thu, Nov 16, 2017 at 01:59:53PM -0700, Sean Bowe via zapps-wg wrote:
> > I think it is the current version (1.21). I imagine it would be
> > possible to modify the code (and many of the dependencies) so that it
> > could compile on a really old version too.
>
> Also, if someone does manage to do this, I have a OpenTimestamps Git
> timestamp(1)
> on Rust crates.io crate registry:
>
>
> https://github.com/petertodd/crates.io-index/commit/763a730f2275d69eb13ee8b212fc9aa0d6fe92b5
>
> Secondly the Internet Archive contains quite a bit of uploaded software,
> such
> as Debian install images, and via my Internet Archive timestamp project we
> have
> timestamps from May this year for most of that:
>
>
> https://petertodd.org/2017/carbon-dating-the-internet-archive-with-opentimestamps
>
> While these timestamps would be only one part of an argument as to why a
> given
> compile wasn't backdoored, I think it's worth using cryptographically
> timestamped dependencies over non-timestamped ones when possible.
>
>
> 1) https://petertodd.org/2016/opentimestamps-git-integration
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>



More information about the zapps-wg mailing list