`bindl sync` is racy on bootstrapping cosign

bindl-dev / bindl

Project-defined static binary manager.

https://bindl.dev

Apache License 2.0

7 stars 0 forks source link

`bindl sync` is racy on bootstrapping cosign #59

Closed wilsonehusin closed 2 years ago

wilsonehusin commented 2 years ago

When necessary, bindl sync will shell-out to bindl get --bootstrap cosign. This is done through shell instead of programmatically to avoid recursive import between program/ and command/.

However, this is a racy implementation where the bootstrapped version might be used instead of a specified version of cosign in bindl.yaml.

wilsonehusin commented 2 years ago

I just realized that it is actually not racy, but implicitly uses the embedded version of cosign to validate signatures instead of using the version specified in bindl.yaml.

wilsonehusin commented 2 years ago

🤔 I think this is an inevitable chicken-egg problem, at least at the moment. Closing it for now until ideas / needs arise.