zig-protobuf icon indicating copy to clipboard operation
zig-protobuf copied to clipboard
verified publisher icon Arwalk

Please disclose that zig-protobuf downloads and runs binary blobs from Google

Open 0x08088405 opened this issue 1 month ago • 2 comments

Nothing in the README indicates that this Zig module downloads protoc binaries from Google and then runs them, which is a serious security and trust issue. It would be nice to give some kind of warning, as "a protobuf 3 implementation for zig" implies that there wouldn't be unverifiable binary blobs of C++ downloaded from Google, and in fact, you aren't even allowed to use anything else. Please do not download and run binary blobs on my computer without my consent. Thank you.

0x08088405 avatar Nov 21 '25 22:11 0x08088405

Hello @0x08088405 , thanks for your issue.

I understand your point of view, and will update the README accordingly. That said, there are a few points i'd like to add.

It would be nice to give some kind of warning, as "a protobuf 3 implementation for zig" implies that there wouldn't be unverifiable binary blobs of C++

I understand that is not "clear" that it's not pure zig, but it's also slightly disingenuine to say that considering protobuf is a two part process, one involving generating code specific to your .proto files. As far as i know, the vast majority of third party implementations of protobuf rely on protoc to handle the generation.

Also, please note that the generation step is litterally called RunProtoc, so it's not like we are hiding it either.

That said, if you feel that it wasn't clear enough, i think you're right and we should be more explicit.

And in fact, you https://github.com/Arwalk/zig-protobuf/pull/138#issuecomment-3369261238 to use anything else.

You pointed toward a current limitation on using an externally provided protoc, but that doesn't mean it's impossible to use anything else. You can (and i'd love to see it) have your own code generator that handles the parsing of .proto files and generates code that is compatible with this library. I actually think making it compatible with the library is the easiest step in the process.

Us not providing an alternative to protoc doesn't mean it is impossible. It is very much possible, and I'd love to see it done, externally or in this repo. Feel free to contribute.

Arwalk avatar Nov 22 '25 11:11 Arwalk

I understand that is not "clear" that it's not pure zig, but it's also slightly disingenuine to say that considering protobuf is a two part process, one involving generating code specific to your .proto files. As far as i know, the vast majority of third party implementations of protobuf rely on protoc to handle the generation.

the issue is not that protoc is used but that its downloaded with no attempt at checking if protoc is provided by the system or even just compiling it.

I made a PR that builds protoc locally which should solve this #146

Jan200101 avatar Nov 29 '25 14:11 Jan200101