Packages should be built from source #235
Description
There is a lot of verification done to make sure that a thing that is downloaded is definitely a thing that is uploaded, and that someone is allowed to upload something.
This design takes inspiration from programming language package managers, where packages can be verified by reading the source code.
However this is very different, we want to securely distribute binaries, which aren't human readable. This is something Linux distributions are good at, read https://wiki.debian.org/SourceOnlyUpload.
How I think it should work:
- Maintainer figures out how to build a package locally.
- Maintainer uploads signed files:
- where to get the upstream source
- bindings for the source
- how to build the source
- which files to distribute
And if the build is reproducible a signed checksum for the resulting binary(s).
I would take inspiration from arch's "PKGBUILD" here. Those are relatively short and easy to verify. Alternatively a simple template for a Dockerfile would also work.
-
Then a registry builds and verifies the package from source.
-
User downloads and verifies a package. Reproducible builds would be important here, otherwise verification is close to impossible, maybe non-reproducible packages could be built from source instead (using docker).
Otherwise if Maintainers upload binaries it is hard to verify, that they don't just ship straight up malware.
Without building from source the other security measures amount to security theater. The only verified fact is: this version is from the same random guy who uploaded the last version.
Sorry if this comes across as a little blunt, I want WASI to succeed and it's not going to if dependencies can't be easily verified.