You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The validator should rerun each source service on a list of known audited ones in a way so it can verify that the output is bit by bit identical. If there is a difference it should error.
Each source services needs to be audited for these rules:
It requires a hash or signature or public key in its _service input to verify before use, things it downloads or any other input it obtains from outside the package source and its installation (unless a to be defined argument is used to signal its insecure operation, which the validator fails on finding in _service).
It should not use as input its output from a previous run.
Its output is reproducible (if the input and downloads are the same), so it can be verified.
We might need to pick a common argument, to pass to source services to run them in reproduce mode. While ideally this would not be needed, for reproducing certain things there might be no other way. E.g. to be able to reproduce a git clone once the origin repo was already updated, needs a list of names and hashes of refs While we could force the maintainer to supply these as input, if we are careful taking these from the output can be made secure enough to not warrant the inconvenience.
It might also be necessary to have a common format to record which files were produced by which source service. This can also help for telling users they do not need to review those files when displaying a diff for review.
As a first steps towards this we can start to only verify that services following the first rules are in use with verifying reproducibility. And as a second step also verify reproducibility for only services that are known to support this. This together would allow this to be done incrementally.
The text was updated successfully, but these errors were encountered:
The validator should rerun each source service on a list of known audited ones in a way so it can verify that the output is bit by bit identical. If there is a difference it should error.
Each source services needs to be audited for these rules:
We might need to pick a common argument, to pass to source services to run them in reproduce mode. While ideally this would not be needed, for reproducing certain things there might be no other way. E.g. to be able to reproduce a git clone once the origin repo was already updated, needs a list of names and hashes of refs While we could force the maintainer to supply these as input, if we are careful taking these from the output can be made secure enough to not warrant the inconvenience.
It might also be necessary to have a common format to record which files were produced by which source service. This can also help for telling users they do not need to review those files when displaying a diff for review.
As a first steps towards this we can start to only verify that services following the first rules are in use with verifying reproducibility. And as a second step also verify reproducibility for only services that are known to support this. This together would allow this to be done incrementally.
The text was updated successfully, but these errors were encountered: