Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider storing pregenerated files in git #2144

Open
madsmtm opened this issue Sep 15, 2024 · 1 comment
Open

Consider storing pregenerated files in git #2144

madsmtm opened this issue Sep 15, 2024 · 1 comment

Comments

@madsmtm
Copy link

madsmtm commented Sep 15, 2024

The ring package is published on crates.io without git information, because it includes files that are not part of the repository. I would be better if all the files that are on crates.io were also present in the repository - while I recognize that this isn't really the "pure" and "clean" way to use git, on the other hand, it just also makes part of automatic security auditing much easier, see e.g. https://lib.rs/~briansmith/dash#crate-ring.

I encountered this today when trying to use ring from source via. crates-io.patch on Mac Catalyst, and having it fail to pre-generate the files there, so it's also a usability issue.

Tip: You can add pregenerated linguist-generated to .gitattributes to avoid GitHub from counting it, and you should probably also add exclude = ["generated/tmp/*"] to Cargo.toml to avoid the temp files from being uploaded to crates.io too.
@briansmith
Copy link
Owner

briansmith commented Sep 27, 2024
edited
Loading

Here is my tentative plan:

  • Add doc/supply-chain-integrity.md (or whatever) that documents the design of the solution we choose.
  • Create a new briansmith/ring-packaged-crate repository that will contain one commit for each release to crates.io.
  • Document the situation in briansmith/ring-packaged-crate/README.md include a link to the "real" briansmith/ring repository.
  • Update Cargo.toml to point to briansmith/ring-packaged-crate instead of briansmith/ring, along with comments that point to the documentation.
  • Add mk/release.sh that executes mk/package.sh and then creates a PR to briansmith/ring-packaged-crate with the new package contents, where the commit messsage of the commit in the PR mentions the corresponding briansmith/ring commit hash.
  • Add a mk/verify-packaged.sh that verifies that a particular commit of briansmith/ring-packaged-crate contains exactly the output of mk/release.sh for the git commit hash of briansmith/ring that is mentioned in that commit's commit message.
  • Add a GitHub Actions job that runs mk/verify-packaged.sh

This way, people who naively run generic "check that the package contents match what is in Git" tools will automatically get a good result. We can also expand the supply chain integrity verification document to explain how users can run mk/verify-package.sh and/or mk/release.sh themselves as part of a less naive verification process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@briansmith @madsmtm