[Git][reproducible-builds/reproducible-website][master] 2026-04: update phrasing re: hash-collision seeds in Rust binaries

James Addison (@jayaddison) gitlab at salsa.debian.org
Tue May 5 20:39:03 UTC 2026 


James Addison pushed to branch master at Reproducible Builds / reproducible-website


Commits:
75c1bd4f by James Addison at 2026-05-05T21:38:25+01:00
2026-04: update phrasing re: hash-collision seeds in Rust binaries

- - - - -


1 changed file:

- _reports/2026-04.md


Changes:

=====================================
_reports/2026-04.md
=====================================
@@ -54,7 +54,7 @@ Congratulations to the [Civil Infrastructure Platform](https://cip-project.org/)
 
 Reproducible Builds developer *kpcyrd* [opened an ticket](https://github.com/rustsec/rustsec/issues/1576) on the [Rustsec](https://rustsec.org/) issue tracker regarding binaries that deliberately inject random bytes into their binaries "as a secret seed for a [Hash Collision DoS mitigation](https://en.wikipedia.org/wiki/Collision_attack)."
 
-As [*kpcyrd* notes in his message](https://github.com/rustsec/rustsec/issues/1576#issue-4241372819), this causes issues for reproducibility and it is not guaranteed that end-user binaries are "mostly distributed pre-compiled through package managers, meaning the binaries (and by extension the secret seed) are public knowledge". *kpcyrd* goes on to note:
+As [*kpcyrd* notes in his message](https://github.com/rustsec/rustsec/issues/1576#issue-4241372819), this causes issues for reproducibility, and because the relevant end-user binaries are "mostly distributed pre-compiled through package managers, those binaries (and by extension the secret seed) are public knowledge". *kpcyrd* goes on to note:
 
 > This is somewhat unique to Rust because Python/JavaScript doesn't compile binaries, and Go (to my knowledge) is too restrictive during build for any library to pull something like this.
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/75c1bd4fbe8efa9a0b26962b4b5cd7dbbc51351c

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/75c1bd4fbe8efa9a0b26962b4b5cd7dbbc51351c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260505/d21b0912/attachment.htm>

More information about the rb-commits mailing list