AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.
Low: the "anonymous" compilation hash is a stable unsalted fingerprint of the compiled schema set — CONFIRMED
Affected code:
Verification:
Confirmed. The hash is:
- Deterministic — same
.proto content produces the same hash.
- Unsalted — no per-machine / per-run nonce.
- Stable across builds of the same schema set on the same or different machines.
An adversary with a candidate corpus of .proto files (say, public OSS repos) can precompute hashes and identify which projects are being built, even though the hash does not reveal the schema content. Because the hash is also order-sensitive (each step is SHA256(newHash || hashBytes) per the rolling fold at line 48), the fingerprint links runs that preserve proto-file ordering — typical of CI systems with stable inputs — more strongly than an unordered set hash would.
Impact:
- The telemetry is pseudonymous, not anonymous.
- Repeated builds of the same schema set are linkable over time.
Recommendation:
- Revise the README to describe this as a pseudonymous schema fingerprint rather than anonymous data.
- For stronger privacy, drop the hash entirely or replace it with a coarse aggregation signal that can't be inverted against a candidate set.
Status: Valid, Low severity.
Source report: src-IceRpc.Protobuf.BuildTelemetry-audit-2026-04-14.md (finding the "anonymous" compilation hash is a stable unsalted fingerprint of the compiled schema set — **CONFIRMED**)
Severity (auditor-assigned): Low
Low: the "anonymous" compilation hash is a stable unsalted fingerprint of the compiled schema set — CONFIRMED
Affected code:
SHA256.HashData(descriptor.SerializedData.Memory.Span)and an ordered rolling re-hashCompilationHashVerification:
Confirmed. The hash is:
.protocontent produces the same hash.An adversary with a candidate corpus of
.protofiles (say, public OSS repos) can precompute hashes and identify which projects are being built, even though the hash does not reveal the schema content. Because the hash is also order-sensitive (each step isSHA256(newHash || hashBytes)per the rolling fold at line 48), the fingerprint links runs that preserve proto-file ordering — typical of CI systems with stable inputs — more strongly than an unordered set hash would.Impact:
Recommendation:
Status: Valid, Low severity.
Source report: src-IceRpc.Protobuf.BuildTelemetry-audit-2026-04-14.md (finding
the "anonymous" compilation hash is a stable unsalted fingerprint of the compiled schema set — **CONFIRMED**)Severity (auditor-assigned): Low