New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AIP-X Code Verification API #150
Conversation
Interesting idea! A couple of questions:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, thanks for this proposal! I love the idea of a standard for this, I know multiple providers are looking into providing an API like this and I know certain tools (e.g. the explorer) will benefit from it.
There are a few things I don't quite understand, if you could help clear them up that'd be great.
- Is this API spec for a service that runs independent of a fullnode?
- How does this work if the code is not available via the fullnode API, e.g. because the developer chose not to upload it?
- How come you need to provide the Move.toml file, you can retrieve this when retrieving the module code.
- How come we need to include chainId in the response?
- How come we need to include isImmutable in the response? If we include this, why not include a more complete response containing all the information from Move.toml / the ABI.
- How is the requester meant to know the compilerVersion?
Thanks for your feedback :) |
Hi dport, good to see you again :)
@banool, Thank you so much for your detailed feedback. |
|
|
Oh, thank you! That's excellent. If we can store it in the module metadata, that would be the cleanest solution. May I ask why you mentioned that this is an unacceptable requirement for tools like the explorer? |
Mostly because of that use case I mentioned. If user X publishes a module and user Y wants to verify it, user Y will never be able to because they don't know what compiler version user X used. |
You're correct. However, fundamentally, verification serves as a means for the publisher X to gain trust from all users including Y. Don't you think X has sufficient motivation to provide their code and compiler information to Y in some way? Even so, incorporating it into the module's metadata would be the most effective approach. |
Let me chat with the team about this one. |
Hey sorry for the delay here, we're still discussing how we can expose this information. |
That's fine. I'm also preparing in various ways. I will share more soon. |
Hey we're still chatting about this internally. If we don't have a resolution by the end of the week we can move forward with the compiler version field as part of the API. I will have another round of feedback soon. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Of course, code verification can be performed locally through the SDK. However, to increase accessibility and usability, it's most desirable to provide it through an API in the explorer.
-
Actually, I tend to disagree with this. A local verification via the SDK (as supported already) seems to me the most reliable one. It is easier and decentralized to verify that a locally installed SDK is not corrupted then to trust a centralized API. How can I ensure that the API provider is not colluding with a malicious smart contract developer to hide bad code from me? The SDK solution seems to me actually superior. I trust my SDK to generate my code -- and to verify others code as I need.
-
If we really want this, perhaps we should do this differently. For packages with source onchain (majority), we should verify integrity of source and bytecode at deployment time. For packages without source code, we can generate source from the bytecode (possible in Move without information loss).
Thank you for your feedback. I have a few questions. According to your suggestion, does this rely on the developer's voluntary action at the time of package deployment? Are you suggesting that there is a way to enforce verification in open-source blockchain SDKs or CLIs? As you said, when I was in the Ethereum ecosystem, it was unsettling to rely entirely on Explorer. However, most users and developers did not verify the code themselves and pursued convenience. This is despite the fact that Etherscan is not open-source and is not officially operated by the foundation. So, I think that if the foundation's official explorer just sets the verification API specification, various verification server operators can participate in the verification, reducing dependence on a specific server and dealing with various compiler versions. |
If the approach you suggest is possible @wrwg, where source and bytecode are verified to match as part of consensus before being committed, that would be the ideal approach. It would presumably make package publishing much more expensive though, since all module publishing would require every validator to either:
I still think it's worth it though, this would be a big win for user safety. |
Performing compilation by every validator for code verification might seem intuitively right, but there are several problems that follow this approach. @wrwg @banool
Evaluating these issues and finding the right balance is an important task that lies before us. |
Sorry for the delay on responding. The arguments of cost and complexity of validators performing the compilation check, and then via consensus agree on this, make sense. It is too expensive like this. I was hoping for some kind of cryptographic approach (ZK proof perhaps) but did not had a chance yet to interview the experts about this. While waiting to hear back about this, lets entertain the API idea.
Could we perhaps evolve the AIP to make this a new functionality of a fullnode? There would be basically a single call which takes the same parameters as package deployment with sources but minus bytecode, and verifies the code on chain by compiling the sources. |
@wrwg, I deeply appreciate your insightful observations and suggestions on my proposed AIP. One of the first things that captivated me about the Aptos ecosystem was indeed the innovative design of the Move language. Its transparency and ability to decompile bytecode into a high-level format is indeed impressive and a unique feature. This API proposal was initiated with the goal of facilitating code verification based on these aspects of Move, aiming to enhance the accessibility of these innovative features to both users and developers. I believe it has the potential to provide meaningful value to many people. Your suggestion about code verification by all nodes seems very effective, but I agree that such an approach could require substantial resources and management efforts. Through this AIP, my objective is to minimize such complexities while enabling as many people as possible to utilize the code verification service. Aptos is still a blockchain in progress, moving towards its roadmap. This AIP could become a part of that journey. When I presented this idea at a hackathon, my team received a lot of positive feedback and encouragement. This API, even in its early stages, has already attracted a lot of attention, and I am indeed planning to implement it in reality. If there is an AIP standard, not a proprietary format, various third parties could participate. Looking at your suggestions, I am pondering how to harmoniously integrate these two approaches. I deeply appreciate your feedback and welcome any further thoughts you might have. Thank you again, @wrwg. I consider it a great honor to be able to contribute to the ecosystem while discussing with someone like you. I am confident that through our continued dialogue, we can collectively strive for better solutions. |
@gregnazario FYI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks 0xshy for explaining the background of this project. I love the excitement and engagement. I left some constructive feedback on the current API.
If we want to move forward with this as an AIP, we need to make clear that the AIP does not cover how a service provider is actually certified. I added some suggestion how this could be clarified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some final nits, but I'd say this AIP is in a sufficiently detailed state to land as an AIP and start soliciting broader community feedback. Thanks a lot for working through our feedback!
Co-authored-by: Daniel Porteous (dport) <daniel@dport.me>
Hey @0xhsy, we discussed this internally and feel at this point in time this does not meet the criteria for a published AIP. Specifically AIPs are about proposed standards that have already had some form of implementation backing them and will become center points of the Aptos ecosystem. To date, all approved AIPs have a nature of impacting the Rest APIs, the VM, Framework, or underlying blockchain. This AIP introduces an optional service that does not fit as part of a yet need to standardize part of the Aptos ecosystem. While it is a great idea, it would be better started off as a general community proposal, obtain some amount of adoption from both consumers and implementers proving the value and utility. This would likely result in some changes to the current approach. At which point, we would benefit from a standard so that we don't see dozens of different approaches. So a couple things, 1) The team is going to explore an appropriate medium for communication about exploratory ideas. We already have the community forum, but perhaps that is insufficient for discovery? 2) I'm going to request changes on this but leave it open until we actually have adequately resolved 1 and updated the documentation around AIPs to be more explicit. |
After internal discussion on AIPs, this was deemed not yet ready.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After internal discussion on AIPs, this was deemed not yet ready.
No description provided.