Closed odeke-em closed 11 months ago
We could advice TM to actively use buf instead too (https://buf.build/tendermint/tendermint/tree/main).
This way we can simply buf export it.
@odeke-em do you want to make a pr here?
@kirbyquerby from my team had a much better suggestion! Nathan, please send a PR for it.
Currently
Currently in the Makefile the following code exists to download and build the protobuf dependencies from Tendermint https://github.com/cosmos/cosmos-sdk/blob/40180cda8fe96a11c4797a7faf634673e545e19a/Makefile#L433-L457
Risk
Our software supply chain security partner and vendor Chainguard Inc performed a supply chain analysis of the cosmos-sdk in https://drive.google.com/file/d/1BCDUSZ3cSdO8FTD9A-nA21_iViONoFln/view and identified the risk of just using cURL to download dependencies per Sure this uses HTTPS/SSL but a mere Machine-In-The-Middle (MiTM) attack (common in corporate settings) can serve the desired wrong/target dependencies and without their hashes being verified that further increases the bliss we face
Suggestion
Using HTTPS alone with cURL surely will retrieve the files from the HTTPS source, but if an MiTM occurs there won't be any way to know that the files sent in were the correct ones. Instead, we can perhaps use another protocol which checks and verifies expected SHA* digests of files and relies on prior histories to track file changes, and that protocol is git. I think that perhaps instead of using cURL, we can use git with sparse checkouts to download exactly the target directories without cloning the whole of the tendermint repo but only instead the proto/tendermint directory and here is how we can do it
Just a kind FYI for @elias-orijtech @kirbyquerby @kaniini @amouat @marbar3778
Questions, criticisms and suggestions are highly welcome!