00xc
commented
8 months ago I think @joergroedel is also doing this on the SUSE side for packaging, as the Open Build Service also does not have network access.
Closed deeglaze closed 7 months ago
00xc
commented
8 months ago I think @joergroedel is also doing this on the SUSE side for packaging, as the Open Build Service also does not have network access.
00xc
commented
8 months ago 
joergroedel
commented
7 months ago As discussed in the SVSM call on March 27th, 2024, the SVSM is not going to pull in vendored dependencies into its repository. Other ways to solve build integrity will be explored.
I'm working on a transparent build of coconut-svsm, and part of getting to a high level of operational security (slsa.dev level 3) is a hermetic build and secure build worker. Network access is disallowed in the toolchain container for this reason, so we have to maintain an internal patch of the dependencies vendored into a local directory. This is easy enough with the
cargo vendorcommand and subsequent change to .cargo/config.toml.To stay truly upstream-first without any patches and have measured bits verifiably trace back to a commit hash from the original repo, it would be best to have vendoring done here, upstream.
The PR to do this would change the main build operation to run locked and offline, and provide another target to update dependencies and import the vendored sources.