Reproducible Builds #17
Comments
|
This is still a high priority for me, but I'm going to wait until after the second beta to address it. |
|
I've decided against automating this verification. Instead, the information should be available to the end user. The tools (barge and Pharaoh) already exist to perform this verification. Every extension update that goes into Keyggdrasil should include the current URI of the version control software and the commit hash of that update. This way, the information is public and auditable. If someone wants to verify that the package in the archive is the same one they build from the source code, they can. If even one person does, since everyone sees the same thing, it strengthens the security of everyone. Caveat: Only open source packages can be truly delivered securely. Thanks @defuse for confirming we don't need this to be automated and provided for the users. |
|
Yep, exactly right. |
We need to be able to say, "Yes, this build was reproduced identically from the source code."
The only way I can think to do this reliably is to spin up a cluster of servers running Pharaoh (and equivalent) to diff the Phars for each package.
When a developer uploads a file with barge, they must include a git commit ID, which will be used in conjunction with their repository URL to ask Pharaoh to reproduce it.
My "it's 1:40 AM and I need sleep but want to get this on paper" thoughts on this:
"reproducible": trueflag to get set by the channel when the user retrieves updates.If @defuse has any comments, I'd love to hear them.
The text was updated successfully, but these errors were encountered: