Merge branch 'safer_build' into 'main'
Add `doc/safer_build.md` to explain path anonymization Closes #957 See merge request tpo/core/arti!1435
This commit is contained in:
commit
965aab96b9
|
@ -88,6 +88,14 @@ You can build a binary (but not run it) with:
|
||||||
|
|
||||||
The result can be found as `target/release/arti`.
|
The result can be found as `target/release/arti`.
|
||||||
|
|
||||||
|
⚠ **Safety Note**: if you are using the default build options,
|
||||||
|
the compiler will include filesystem path information in the
|
||||||
|
binary that it generates. If your path is sensitive (for example,
|
||||||
|
because it includes your username), you will want to take steps
|
||||||
|
to prevent this. See [`doc/safer-build.md`](doc/safer-build.md)
|
||||||
|
for more information.
|
||||||
|
|
||||||
|
|
||||||
If you run into any trouble building the program, please have a
|
If you run into any trouble building the program, please have a
|
||||||
look at [the troubleshooting guide](doc/TROUBLESHOOTING.md).
|
look at [the troubleshooting guide](doc/TROUBLESHOOTING.md).
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,55 @@
|
||||||
|
# Safer build options
|
||||||
|
|
||||||
|
By default,
|
||||||
|
the Rust compiler includes your current path information
|
||||||
|
in the binaries that it generates.
|
||||||
|
This could be a problem if,
|
||||||
|
for example, you are building from a path like
|
||||||
|
`/home/FirstnameLastname/build/arti`
|
||||||
|
and releasing binaries (or uploading backtraces)
|
||||||
|
under a pseudonym
|
||||||
|
that you do not want linked to `FirstnameLastname`.
|
||||||
|
|
||||||
|
There is a good overview of the issues here at
|
||||||
|
https://github.com/betrusted-io/xous-core/issues/57 .
|
||||||
|
|
||||||
|
There are a couple of workarounds here.
|
||||||
|
|
||||||
|
# Workaround one: reproducible build
|
||||||
|
|
||||||
|
If you have Docker,
|
||||||
|
you can run a reproducible build of Arti,
|
||||||
|
so that the binary you make will be the same
|
||||||
|
as a binary generated by anybody else.
|
||||||
|
|
||||||
|
See the
|
||||||
|
[`docker_reproducible_build`](../maint/docker_reproducible_build)
|
||||||
|
script for more information.
|
||||||
|
|
||||||
|
# Workaround two: RUSTFLAGS
|
||||||
|
|
||||||
|
As a quick-and-dirty solution,
|
||||||
|
you can use the `--remap-path-prefix` option
|
||||||
|
to tell the Rust compiler
|
||||||
|
to re-map your paths into anonymized ones.
|
||||||
|
|
||||||
|
This is not a perfect solution;
|
||||||
|
there are known issues under some configurations,
|
||||||
|
particularly if you are linking to a static OpenSSL.
|
||||||
|
|
||||||
|
Personally, I get good results from running:
|
||||||
|
|
||||||
|
```
|
||||||
|
RUSTFLAGS="--remap-path-prefix $HOME/.cargo=.cargo --remap-path-prefix $(pwd)=." \
|
||||||
|
cargo build --release -p arti
|
||||||
|
```
|
||||||
|
|
||||||
|
After you do this, you can use
|
||||||
|
`strings target/release/arti | grep "$HOME"`
|
||||||
|
to see if your home directory appears in the result.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue