Since December, FP
Complete has been working with Cardano Foundation on an audit of
the Cardano settlement layer. The audit work is ongoing, with the
currently released reports available on Cardano's
The primary codebase we have been reviewing, cardano-sl, depends on many packages from the
Haskell ecosystem. As a result, a significant portion of our audit
work involves reviewing these open source libraries, often quite
separately from their usage within the Cardano project itself.
We believe that sharing the results of our library audits can be
helpful for the Haskell community in general by:
- identifying concrete areas that can be improved
- sharing information on our review process
- encouraging a culture of pushing for higher quality in our
commonly used open source libraries
With Cardano Foundation's permission (and encouragement), we're
excited to announce that we will begin publishing audit reports on
individual libraries in addition to our work on auditing the
Cardano project itself.
For the most part, the choice of libraries to be audited will be
guided by usage within cardano-sl, as our primary goal remains to
perform an audit on that codebase. We will also be withholding
security sensitive discoveries until fixes can be made upstream,
following the principles of responsible disclosure.
Our first audit report covers the binary library, and is
available immediately. Please see
Cardano Foundation's announcement
blog post for details. UPDATE External blog post has been deleted.
We do not have a specific timetable for
future report releases, but expect to see such reports announced
both on Cardano Foundation's website, and on this blog.
We also look forward to sharing some of our code review
techniques and tooling with the community. To find out more about
our audit process you can also visit our audit page.
Subscribe to our blog via email
Email subscriptions come from our Atom feed and are handled by Blogtrottr. You will only receive notifications of blog posts, and can unsubscribe any time.
Do you like this blog post and need help with DevOps, Rust or functional programming? Contact us.