squamosa89
commented
5 years ago Currently AKC offers a tool for developer to "upload" .go file directly to the test peer machine. This behavior is highly insecure and tbh, extremely hard to make it secure ! There are couple of points here:
-
AKC peers, even in test network use resources and can be exploit to do something else (launch botnet, spam, mining, etc.)
-
Test network peers contains test Chaincode and probably test data from other developers/customers. Allowing everybody to upload arbitrary code to the machine has great risk in leaking those data.
-
Online unchecked code execution is extremely hard to secure. Sites like Hackerank often use a lot of different methods to secure such as limiting network connection, separate sandboxes, limit file access, etc. Yet, it is unlikely that we can implement those countermeasures in a timely limit.
Now, I propose 2 steps to "fix" this issue:
-
AKC Test offers a docker image with all deployed network and configuration. We'll provide a guide for developer to write Chaincode and some script to install, instantiate and invoke those Chaincode in their local docker container. We call this the "Local testing" step.
-
AKC Test Net allows developer to "upload" their Chaincode .go file. However, AKC Admin will personally review each of those code, then install them themselves. The installed Chaincode will be made available for the developer in their AKC Test Net account. (Probably on a separated channel ?). This is the "Review" step
-
Developer can instantiate and invoker ONLY THEIR OWN Chaincode in their own channel on AKC Test net. This is called the "Online testing" step.
0x369142857
We need a kind of deployment tool that developer can deploy and test their chaincode on AKC.