Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKB System Scripts Automation and Security Requirements Epic #17

Closed
6 tasks done
doitian opened this issue Jun 7, 2019 · 1 comment
Closed
6 tasks done

CKB System Scripts Automation and Security Requirements Epic #17

doitian opened this issue Jun 7, 2019 · 1 comment
Assignees
@xxuejie
Projects
CKB - Issues

Comments

@doitian
Copy link
Member

doitian commented Jun 7, 2019
edited
Loading

This is an Epic, please start new issue for each objective listed below.

Reproducible Docker Builder

  • Provide a Dockerfile to show how we create the builder.

Security Requirements:

  • The Dockerfile must verify the downloaded gcc package checksum.

Build using an existing Docker Builder image

  • Ease building the scripts using a docker image.

Security Requirements:

  • The build script must verify the checksum of the builder image

CI has already been setup in #15

Binary Build and Crate Publish via CI

  • Do not store the binaries in the repository. Developer and CI must build the scripts into binaries by themselves.

Setup CI to automate the publishing workflow:

  • Build binaries
  • Run test
  • Publish the Rust crate including the binaries.

Security Requirements:

  • Publish the code hashes of each system scripts in the release.
@doitian doitian added the Epic label Jun 7, 2019
@doitian doitian removed the Epic label Jun 18, 2019
@doitian doitian added this to Normal Priority in CKB - Issues Aug 20, 2019
@doitian doitian moved this from Normal priority to High priority in CKB - Issues Aug 20, 2019
@doitian doitian moved this from High priority to Planned in CKB - Issues Aug 20, 2019
@xxuejie
Copy link
Collaborator

xxuejie commented Nov 13, 2019

The docker files are kept here: https://github.com/nervosnetwork/ckb-riscv-gnu-toolchain/tree/master/docker

And it actually uses a slightly different way: instead of downloading official gcc distribution, we are using the riscv gcc fork, which packs all the GNU toolchain in an easier way to build. For reproducible build, the docker files have some extra steps:

  1. It ensures local repository does not have dirty changes.
  2. It keeps a REVISION file containing the original commit from which gcc is built

This way IMO also ensures the built toolchain can be verified. Any thoughts @doitian ?

@doitian doitian closed this as completed Nov 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xxuejie xxuejie

Labels
None yet
Projects
CKB - Issues
  
🔙 Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@doitian @xxuejie