Open rigzba21 opened 2 years ago
Possible integration point for SBOM generation? https://github.com/anchore/syft/issues/932
# use conda as the solver for linux-64
conda-vendor vendor --file environment.yaml --solver conda --platform linux-64
# use mamba as the solver for osx-64
conda-vendor vendor --file environment.yaml --solver mamba --platform osx-64
# use micromamba as the solver for the host platform
conda-vendor vendor --file environment.yaml --solver micromamba
Now supports conda, mamba, and micromamba solvers.
Generate a SLSA spec compliant attestation
# "attest" as a subcommand
conda-vendor attest --vendored-channel path/to/my/vendored-channel/
which would produce an attestation file attestation.yaml
.
Components (from in-toto attestation spec):
- Envelope: Handles authentication and serialization
- Statement: Binds the attestation to a particular subject and unambiguously identifies the types of the predicate
- Predicate: Contains arbitrary metadata about the subject, with a type-specific schema
- Bundle: Defines a method of grouping multiple attestations together
(WIP) for conda-vendor:
References, Notes, and Links:
Edit: Closed https://github.com/MetroStar/conda-vendor/pull/32 in favor of tracking progress here as this is a much bigger refactor.
Background
conda-lock has some awesome improvements in 1.x 🔠that will allow us to reduce duplicated functionality in conda-vendor's implementation.
Example conda-lock usage for 1.x:
Given an
environment.yaml
:Generating a lockfile (conda-lock supports multiple solvers such as mamba and micromamba):
conda lock --file environment.yaml -p linux-64 --mamba
Produces the following
conda-lock.yml
:Proposed conda-vendor changes + improvements:
Remove conda-vendor's meta-manifest generation
I propose that we remove the meta-manifest generation, as conda-lock's new lockfile format now includes all of the necessary information we use to vendor dependencies into a local channel.
vendor
command as the primaryhardening_manifest.yaml
resources
block, using conda-lock's 1.0.x FetchAction object.Remove conda-vendor's combined manifest functionality
conda-lock now has compound specification for lockfile generation, where you can create a
conda-lock.yaml
from one or more environment files.[ ] Remove intermediary step of generating a meta-manifest in favor of using conda-lock's 1.0.x compound-specification API NOTE: this would be best tracked as it's own issue
Signing and Verification
I propose that we introduce signing and verification of the vendored dependencies within a local channel (and/or the local channel itself), and generate a SLSA compliant in-toto spec attestation. NOTE: this would be best tracked as it's own issue
sigstore
digital signing