feat: [Source Validation] Check linkage #18964
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
3 Skipped Deployments
|
amnn
force-pushed
the
amnn/src-verify-link
branch
from
fc312f4
to
64cea8e
Compare
amnn
force-pushed
the
amnn/test-publish-storage-id
branch
from
3b14d63
to
2f729cc
Compare
amnn
force-pushed
the
amnn/src-verify-link
branch
from
64cea8e
to
3be9029
Compare
amnn
force-pushed
the
amnn/test-publish-storage-id
branch
from
2f729cc
to
919ecb5
Compare
| // SAFETY: The error type does not implement `Clone` so we need to take the | ||
| // error by value. We do that by calling `next` to take the value we just | ||
| // peeked, which we know is an error type. | ||
| errs.push(modules.next().unwrap().unwrap_err()); |
There was a problem hiding this comment.
Is this covered by tests?
There was a problem hiding this comment.
Quite difficult to do that in this case, because it requires publishing a package that fails deserialization.
stefan-mysten
approved these changes
Aug 14, 2024
There was a problem hiding this comment.
Not familiar with the code, but stamping to get this workstream unblocked.
I'd suggest that @rvantonder or someone else that is more familiar with the code has a look at it as well!
amnn
force-pushed
the
amnn/src-verify-link
branch
from
0f10233
to
c183932
Compare
amnn
force-pushed
the
amnn/test-publish-storage-id
branch
from
919ecb5
to
7283d3c
Compare
## Description Fix a bug in tests that publish packages where the publish transaction was always constructed referring to dependencies at their original IDs, and not their storage IDs. This has not caused a problem to date, meaning these tests may not publish a package that depends on an upgrade package, but to avoid confusion `get_dependency_original_package_ids` has been replaced with `get_dependency_storage_package_ids`. Similarly, `get_package_dependencies_hex` has been replaced with an invocation of `get_dependency_storage_package_ids`. ## Test plan CI +: ``` sui$ cargo build --bin sui sui$ cd tmp sui$ ~/sui/target/debug/sui move new test sui$ # make it possible to compile sui$ ~/sui/target/debug/ui move build --dump-bytecode-as-base64 ```
## Description Source validation additionally checks that dependencies in the linkage table of the on-chain package match the published dependencies from the source package. Previously it was possible to construct a scenario where source verification would succeed even though a package's representation on-chain did not exactly match, because one of the dependencies mismatched on version but between two versions that were themselves identical. ## Test plan New tests exercising the scenario mentioned above: ``` sui-source-validation$ cargo nextest run -- linkage_differs ```
amnn
force-pushed
the
amnn/test-publish-storage-id
branch
from
7283d3c
to
fa858a5
Compare
amnn
force-pushed
the
amnn/src-verify-link
branch
from
c183932
to
b160542
Compare
Base automatically changed from
amnn/test-publish-storage-id
to
amnn/src-valid-err
August 14, 2024 17:55
amnn
added a commit
that referenced
this pull request
Aug 15, 2024
## Description Source validation additionally checks that dependencies in the linkage table of the on-chain package match the published dependencies from the source package. Previously it was possible to construct a scenario where source verification would succeed even though a package's representation on-chain did not exactly match, because one of the dependencies mismatched on version but between two versions that were themselves identical. ## Test plan New tests exercising the scenario mentioned above: ``` sui-source-validation$ cargo nextest run -- linkage_differs ``` ## Stack - #18956 - #18959 - #18978 - #18960 - #18962 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [x] CLI: `sui client verify-source` now also confirms a package's linkage table matches its source dependencies. - [ ] Rust SDK: - [ ] REST API:
suiwombat
pushed a commit
that referenced
this pull request
Sep 16, 2024
## Description Source validation additionally checks that dependencies in the linkage table of the on-chain package match the published dependencies from the source package. Previously it was possible to construct a scenario where source verification would succeed even though a package's representation on-chain did not exactly match, because one of the dependencies mismatched on version but between two versions that were themselves identical. ## Test plan New tests exercising the scenario mentioned above: ``` sui-source-validation$ cargo nextest run -- linkage_differs ``` ## Stack - #18956 - #18959 - #18978 - #18960 - #18962 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [x] CLI: `sui client verify-source` now also confirms a package's linkage table matches its source dependencies. - [ ] Rust SDK: - [ ] REST API:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Source validation additionally checks that dependencies in the linkage table of the on-chain package match the published dependencies from the source package.
Previously it was possible to construct a scenario where source verification would succeed even though a package's representation on-chain did not exactly match, because one of the dependencies mismatched on version but between two versions that were themselves identical.
Test plan
New tests exercising the scenario mentioned above:
Stack
Release notes
Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required.
For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates.
sui client verify-sourcenow also confirms that a package's linkage table matches its source dependencies.