You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So, the theme of this tool and repo is a completely over-engineered tool for checking and handling hash lock files. Right? How can we really make this concept interesting?
The idea of a lockfile is that it captures state at a certain moment in time, and is committed to source control. Initially, the idea of a "lockfile" for hashlocks seems silly.
But, if that file was signed, say, with GPG, it would be possible to establish new guarantees. Without a lockfile, this tool can guarantee that: at a moment in time, when the tool was run, the hashlock files matched their subjects. Extended with a signed lockfile to gather these locks, we can make establish the following guarantees:
(Carried) at a moment in time, when the tool was run, the hashlock files matched their subjects
At that time, the tool was run with proper provenance and the code matched the expected binary or source state (JS, bin)
At that time, the tool was run with a specific version or hash of the hashlocks tool
At that time, the tool was run in an authorized environment
At that time, all hashlocks in aggregate summed to a known value
As a codebase evolves, with the lockfile in place, replacing one or more individual subjects and updating the hashlock would no longer pass checks.
The text was updated successfully, but these errors were encountered:
So, the theme of this tool and repo is a completely over-engineered tool for checking and handling hash lock files. Right? How can we really make this concept interesting?
The idea of a lockfile is that it captures state at a certain moment in time, and is committed to source control. Initially, the idea of a "lockfile" for hashlocks seems silly.
But, if that file was signed, say, with GPG, it would be possible to establish new guarantees. Without a lockfile, this tool can guarantee that: at a moment in time, when the tool was run, the hashlock files matched their subjects. Extended with a signed lockfile to gather these locks, we can make establish the following guarantees:
As a codebase evolves, with the lockfile in place, replacing one or more individual subjects and updating the hashlock would no longer pass checks.
The text was updated successfully, but these errors were encountered: