[erlang-questions] Right direction ?
David Goehrig
dave@REDACTED
Wed Sep 21 19:40:21 CEST 2011
Last night I began hacking on code.erl, code_server.erl, and looking to extend load_file(Module :: atom()) to include a load_file(Module, Url) function that would look for the module at the associated URL rather than searching for the file via abs path. It would then compare the sha256 hash of the file against the copy in cache and bail if they are different (no hash in cache adds it and uses as the baseline).
I was wondering if there was a good way to verify that a .beam has not been modified since last load.
For example:
-module(my_mod)
-require(daves_mod,"http://erlang.dloh.org/")
Could then look for http://erlang.dloh.org/daves_mod.erl and download and compile a local beam. Once I have that beam, I can just load from cache, but what happens if the beam is modified after compilation?
The other thing I would like to add is DNS TXT records that could be published sha256 hashes of each source module.
http://erlang.dloh.org/daves_mod.erl 45663AFDA....
Adding a
-signature("http://erlang.dlog.org/daves_mod.erl","45663AFDA....")
Would allow a 3 part verification of the source:
1.) I can compute the source has the right hash
2.) I can look up that the module has the same published signature
3.) I can verify against the original at the specified URL
In this scenario it is not enough to modify the source and rehash, nor enough to replace the upsteam file, but also replace the DNS entry without anyone noticing.
Thoughts?
Dave
-=-=- dave@REDACTED -=-=-
More information about the erlang-questions
mailing list