Switch to fiat-crypto Rust crate #201
Comments
|
I think the best approach is still to make it a part of the daily tests in form a script or similar. Failing the daily tests seems fine IMO. A bot for the room would be nice as an additional reminder, but as you said it would require to maintain it. Also, then we'd have to start scrolling through chat-logs every once in a while to check if there's a update missing. Of course, you're welcome to add the bot in addition to CI/CD just for fun, if you'd like. |
|
Do we also want to take the dependabot approach here? It could issue a PR instead of failing the tests. |
|
Not really sure if we can. Do you know of some custom way to script Dependabot? Or was it another approach you had in mind? |
It's more likely that a change will mean that we tweaked the documentation, added a new operation, or tweaked some optimization. I guess it's possible that we got some parentheses or cast transcriptions wrong (the only unverified part is where we go from our internal AST to Rust code). Regardless, is there any reason to inline the Rust code rather than depending on our published Rust crate? |
When I initially looked at it, IIRC the generated Rust code in the repository was newer than that of the Rust crate. So I simply thought to be able to get the newest version, there'd have to be a manual check. Maybe I misunderstood something there? Just looked again and there seems to be automatic publishing of the Rust crate now (maybe there was before too?). If this is the case, then I don't see a reason as to why we wouldn't prefer the crate over inlined Rust code. How regularly does the automatic publishing happen, in terms of changes to the Rust code? Anyway, thanks for chiming in here! |
|
Yeah, we update the crate automatically any time we release a version, which we do anytime there are significant changes to the code (and I plan to bump the major version if ever we make a backwards-incompatible change to the interface). |
|
Also, if you ever discover that the crate is out of date in a meaningful way, feel free to open an issue asking us to make a new release. (But there's no reason to be pegged to the latest version. Certainly if we find any correctness issues in the generated code we'll immediately make a new release when they're fixed.) Also, if there's something we have to do on our end to get dependabot to notice when we do a release, I'm happy to set that up on our side. |
Then I definitely don't see a reason not to switch to the crate. Thanks for expanding upon it.
There shouldn't be. As long as the version number is bumped, which it must either way, Dependabot should detect it. |
brycx
changed the title
|
Changed scope of issue. Please raise any possible concerns @vlmutolo, especially if you don't want to remain assigned to this issue, considering the change. My initial thinking is to include this in the next minor release. |
Summary
We use fiat-crypto code to implement various low-level cryptographic primitives. If the generated code from
fiat-rustchanges, it could mean there's a security vulnerability in it. An easy way to ensure we're notified of these changes would be to fail CI tests if the hash of the file(s) we use changes.Alternatives
fiat-rusthash changes and posts to the Orion room. This would require maintaining the bot, though.The text was updated successfully, but these errors were encountered: