Skip to content

Packages should be built from source #235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lu4p opened this issue Dec 12, 2023 · 3 comments
Open

Packages should be built from source #235

lu4p opened this issue Dec 12, 2023 · 3 comments

Comments

@lu4p
Copy link

lu4p commented Dec 12, 2023
edited
Loading

There is a lot of verification done to make sure that a thing that is downloaded is definitely a thing that is uploaded, and that someone is allowed to upload something.

This design takes inspiration from programming language package managers, where packages can be verified by reading the source code.

However this is very different, we want to securely distribute binaries, which aren't human readable. This is something Linux distributions are good at, read https://wiki.debian.org/SourceOnlyUpload.

How I think it should work:

  1. Maintainer figures out how to build a package locally.
  2. Maintainer uploads signed files:
  • where to get the upstream source
  • bindings for the source
  • how to build the source
  • which files to distribute

And if the build is reproducible a signed checksum for the resulting binary(s).

I would take inspiration from arch's "PKGBUILD" here. Those are relatively short and easy to verify. Alternatively a simple template for a Dockerfile would also work.

  1. Then a registry builds and verifies the package from source.

  2. User downloads and verifies a package. Reproducible builds would be important here, otherwise verification is close to impossible, maybe non-reproducible packages could be built from source instead (using docker).

Otherwise if Maintainers upload binaries it is hard to verify, that they don't just ship straight up malware.

Without building from source the other security measures amount to security theater. The only verified fact is: this version is from the same random guy who uploaded the last version.

Sorry if this comes across as a little blunt, I want WASI to succeed and it's not going to if dependencies can't be easily verified.
@lann
Copy link
Collaborator

lann commented Dec 12, 2023

Reproducible and authenticated builds are an excellent goal for the Wasm ecosystem but in terms of implementation mostly outside of the scope of this specific project. We are planning to add pluggable package verification; one clear use-cases for that would be verification of package signatures from a build system. That build system is what would be responsible for the kind of process you describe.

While it is true that securing the delivery of binary packages from publisher to consumer only covers part of the supply chain, it is an important link in that chain.

@lu4p
Copy link
Author

lu4p commented Dec 12, 2023

While listening to this talk https://youtu.be/1QbfKzQgD0E, where possible attacks on the ecosystem were mentioned, I was surprised to not find any mention of possible malicious Maintainers.

I was a bit worried that maintainers will be just absolutely trusted in this model, I'm glad to hear there is already some kind of idea how this could be mitigated.

In my view although package signing is also nice to have, authenticated builds are absolutely essential.

@calvinrp
Copy link
Collaborator

Reproducible / verifiable build from source is a desirable property for package distribution. I was thinking it can be implemented by CI/CD type of services that publish on top of the Warg protocol.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lann @calvinrp @lu4p