aartaka / nx-dark-reader

Nyxt (3.0+) integration with Dark Reader.
BSD 2-Clause "Simplified" License
24 stars 3 forks source link

Pin JS dependency & verify it #2

Open hendursaga opened 2 years ago

hendursaga commented 2 years ago

It would be nice to pin the DarkReader package to a specific version, hard-code the SHA-512 hash, then subsequently verify the download. Then we'll have greater reproducibility and security.

aartaka commented 2 years ago

Indeed. While I'm not paranoid enough to care much about Dark Reader ever becoming unstable/unreliable, I can understand your reasoning here.

I thought about using a Dark Reader submodule, but they don't provide pre-compiled scripts there, as far as I know. Compiling it manually is too much of a work for someone installing the extension. Thus, the perfect scenario would be to checkout a specific submodule version when ASDF-loading the extension. Still, can be quite demanding of a process...

I'm open to ideas there, as it's a non-trivial problem, I guess :D

hendursaga commented 2 years ago

Compiling it manually is too much of work

I was thinking merely hard-coding the version number in the URL at https://github.com/aartaka/nx-dark-reader/blob/master/nx-dark-reader.lisp#L51 and then comparing the downloaded file with a hard-coded hash. Like SRI.

hendursaga commented 2 years ago

Well, now that we've apparently switched to the UserScript / WebExtensions approach, I'm not sure how to proceed, as it does not seem the metadata block has ANY support for any sort of integrity check whatsoever. Horrifying!

aartaka commented 2 years ago

Yeah, that's a tough one. We can extend the syntax of @require with signature checking, though :)

hendursaga commented 2 years ago

See https://github.com/violentmonkey/violentmonkey/issues/1558#issuecomment-1231947929 for the issue I started there. Since I assume we're (going to be) using our own "userscript manager," using TamperMonkey's syntax would be a good idea.