vincenzopalazzo
/
arti
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'safer_build' into 'main' 

Add `doc/safer_build.md` to explain path anonymization

Closes #957

See merge request tpo/core/arti!1435
This commit is contained in:
Ian Jackson 2023-07-25 10:44:51 +00:00
parent f400ba2925 7166c9e5b5
commit 965aab96b9
2 changed files with 63 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -88,6 +88,14 @@ You can build a binary (but not run it) with:
The result can be found as `target/release/arti`. The result can be found as `target/release/arti`.
**Safety Note**: if you are using the default build options,
the compiler will include filesystem path information in the
binary that it generates. If your path is sensitive (for example,
because it includes your username), you will want to take steps
to prevent this. See [`doc/safer-build.md`](doc/safer-build.md)
for more information.
If you run into any trouble building the program, please have a If you run into any trouble building the program, please have a
look at [the troubleshooting guide](doc/TROUBLESHOOTING.md). look at [the troubleshooting guide](doc/TROUBLESHOOTING.md).

55
doc/safer-build.md Normal file
View File

@ -0,0 +1,55 @@
# Safer build options
By default,
the Rust compiler includes your current path information
in the binaries that it generates.
This could be a problem if,
for example, you are building from a path like
`/home/FirstnameLastname/build/arti`
and releasing binaries (or uploading backtraces)
under a pseudonym
that you do not want linked to `FirstnameLastname`.
There is a good overview of the issues here at
https://github.com/betrusted-io/xous-core/issues/57 .
There are a couple of workarounds here.
# Workaround one: reproducible build
If you have Docker,
you can run a reproducible build of Arti,
so that the binary you make will be the same
as a binary generated by anybody else.
See the
[`docker_reproducible_build`](../maint/docker_reproducible_build)
script for more information.
# Workaround two: RUSTFLAGS
As a quick-and-dirty solution,
you can use the `--remap-path-prefix` option
to tell the Rust compiler
to re-map your paths into anonymized ones.
This is not a perfect solution;
there are known issues under some configurations,
particularly if you are linking to a static OpenSSL.
Personally, I get good results from running:
```
RUSTFLAGS="--remap-path-prefix $HOME/.cargo=.cargo --remap-path-prefix $(pwd)=." \
cargo build --release -p arti
```
After you do this, you can use
`strings target/release/arti | grep "$HOME"`
to see if your home directory appears in the result.