Skip to content

v0.71.2 — Governance & supply-chain live (ed25519 + scan gate)

Choose a tag to compare

View all tags
@MakazhanAlpamys MakazhanAlpamys released this 01 Jun 12:51
· 53 commits to main since this release
v0.71.2
5d7828d

Governance & supply-chain controls go live: real ed25519 signatures for adapters and attestations, anti-AI-Jacking namespace pinning on Hub downloads, automatic license-conflict detection at merge, and a backdoor-scan gate that refuses to merge weight-space trojans.

What's New

  • ed25519 signing for soup adapters sign / soup attest — real detached signatures over the adapter Merkle root / the in-toto statement, via a new [sign] extra (pip install 'soup-cli[sign]', pulling cryptography).
    • soup adapters sign --backend ed25519 --key <priv.pem> (or --generate-key <out.pem>, or SOUP_SIGNING_KEY)
    • soup adapters verify [--public-key <trusted.pem>] — cryptographic verify; with a trusted key it's genuine authentication, not just self-consistency
    • soup attest emit --sign ed25519 --key <priv.pem> writes a <output>.sig sidecar; new soup attest verify <statement> --signature <sig> [--public-key <pem>] verifies it (canonical-JSON, so it's platform / newline-independent)
  • Anti-AI-Jacking namespace pin on Hub downloads — HF model fetches now consult a trust-on-first-use pin store. A repo whose author changes (or whose created_at jumps backward) is refused unless the namespace shift is explicitly allowed. Fails open when repo metadata is unavailable.
  • License auto-detection at soup adapters merge — when --license isn't given, the license is read from each adapter's adapter_config.json / config.json / model-card frontmatter (HF llama3.1-style ids mapped to canonical) and the conflict gate runs automatically. Overrides (--license-override <reason>) are recorded to the audit log for legal review.
  • Backdoor-scan gate at soup adapters merge — refuses to merge any input whose soup adapters scan returns FAIL (or can't be scanned) unless --allow-unscanned is passed; WARN is advisory.
  • Concurrent-safe namespace pin store — SQLite WAL + busy-timeout + a cross-process file lock around get+insert, so concurrent writers don't lose the trust anchor.

Install / Upgrade

pip install --upgrade soup-cli          # core
pip install --upgrade 'soup-cli[sign]'  # + ed25519 signing (cryptography)

Security

  • ed25519 verification fails closed — any tamper / wrong key / missing key / unreadable trusted key ⇒ invalid.
  • Signing keys and trusted public keys are symlink-rejected and size-capped via a shared hardened reader (no cwd-containment — keys deliberately live outside the project).
  • --generate-key refuses to overwrite any pre-existing path (no-clobber + TOCTOU-safe).
  • License-conflict overrides are appended (secret-redacted, arg-capped) to the audit log.

Known Limitations

  • Sigstore keyless signing stays infra-blocked. --backend sigstore / --sign sigstore raise a clear "infra-blocked" error: it needs an OIDC identity provider plus Fulcio/Rekor network round-trips, which cannot be honestly validated offline. The ed25519 half ships fully live; tracked under #179 / #185 (infra-blocked).
  • Namespace-pin metadata uses HF repo (author, created_at) only; it fails open when the Hub API is unreachable so a network blip never blocks a legitimate download.

Full notes: see CHANGELOG.md.

🤖 Generated with Claude Code

Assets 2
Loading