search

ivpn / desktop-app

Official IVPN Desktop app
https://www.ivpn.net/apps/
GNU General Public License v3.0
322 stars 49 forks source link

minor change, to improve trust amungst gentoo users. #291

Closed chris-stones closed 11 months ago

chris-stones commented 12 months ago

Feature request

A minor change to the release tarballs could make unofficial Gentoo packages easier to trust/verify.
include desktop-app-*/cli/vendor and desktop-app-*/daemon/vendor in release tarballs.

Description

Gentoo compiles and installs packages in a network-less sand box.
This is desirable, because we know only the declared sources are being downloaded.
No supply-chain attacks from missing package.locks, no malicious downloads from a deeply nested script, blah blah blah.

This means, that go cannot automatically fetch its dependencies during the compile phase.

The workaround, is to have a package maintainer run go mod vendor,
Then, they upload the package somewhere, and share their ebuild with the community.

Gentoo doesn't officially support IVPN, so Gentoo users need to trust that this unknown community member didn't make any malicious modifications..

Describe the solution you'd like

Please include the vendor directory when you package release tarballs.
Then, the community ebuild needs to only reference your official release tarball.

This is much much easier to audit / trust.

Describe alternatives you've considered

An alternative is to use the pre-compiled RPM... but this is a last resort for gentoo users.

stenya commented 12 months ago

An alternative is to use the pre-compiled RPM... but this is a last resort for gentoo users.

@chris-stones just FYI: Here is a link where you can download the latest RPMs of IVPN apps: https://www.ivpn.net/apps-linux/#binaries

stenya commented 11 months ago

Adding vendor folders to Go projects does not solve your original problem. The daemon project uses some third-party external projects. Therefore, when compiling the daemon project, those third-party external projects also need to be compiled. The sources of those projects are fetched from the internet. In other words, you need to have internet connectivity to build the entire project.

Moreover, compiling UI projects also requires internet connectivity to download dependent Node modules.

For now, I do not plan to use vendor folders since it does not solve the problem and brings some disadvantages related to project maintenance.

I am closing the ticket. Please feel free to reopen it if you think it is worth it.

chris-stones commented 11 months ago

Okay, understood, no problem. I wont re-open. However, I feel you are mistaken.

The 3rd party programs that you download and compile for the daemon (obs4proxy etc) are supported by Gentoo... So, we dont need to wory about those.

Im presently using the cli and daemon on a gentoo system with the changes I proposed.

The code compiles, and installs in a network-less sandbox.

As for the UI, yes, you are correct, I request no changes to that..

see the below gentoo package for the daemon... see that we use gentoo packages for the 3rd party libraries.

The part i dont like, is the need for the "SOME_UNTRUSTED_STRANGERS_IP_ADDRESS" in the SRC_URI



```EAPI=8

inherit go-module systemd

DESCRIPTION="Official IVPN cli"
HOMEPAGE="https://www.ivpn.net/ https://github.com/ivpn"
SRC_URI="https://github.com/ivpn/desktop-app/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz"
SRC_URI+=" https://${SOME_UNTRUSTED_STRANGERS_IP_ADDRESS}/${P}-vendor.tar.xz"

LICENSE="GPL-3"
KEYWORDS="~amd64"
SLOT="0"
IUSE="systemd"

RESTRICT="primaryuri"

RDEPEND="net-proxy/lyrebird
    net-dns/dnscrypt-proxy
    net-vpn/wireguard-tools
    net-vpn/openvpn
    net-wireless/wireless-tools
    sys-process/lsof
    sys-libs/glibc"

DEPEND="sys-libs/glibc"

BDEPEND=">=dev-lang/go-1.18"

IDEPEND="net-proxy/lyrebird
    net-dns/dnscrypt-proxy
    net-vpn/wireguard-tools"

S="${WORKDIR}/desktop-app-${PV}/daemon"

src_compile() {

    # version info variables
        VERSION="${PV}"
        DATE="$(date "+%Y-%m-%d")"
        COMMIT="${PV}_stamped"

    ego build -trimpath -ldflags "-s -w -X github.com/ivpn/desktop-app/daemon/version._version=$VERSION -X github.com/ivpn/desktop-app/daemon/version._commit=$COMMIT -X github.com/ivpn/desktop-app/daemon/version._time=$DATE"
}

src_install() {

    mkdir -p "${D}/opt/ivpn/etc" || die
    newbin daemon ivpn-service

    insinto "opt/ivpn/etc"
    insopts -m700
    doins "References/Linux/etc/client.down"
    doins "References/Linux/etc/client.up"
    doins "References/Linux/etc/firewall.sh"
    doins "References/Linux/etc/splittun.sh"
    insopts -m600
    doins "References/common/etc/servers.json"
    insopts -m400
    doins "References/common/etc/ca.crt"
    doins "References/common/etc/ta.key"
    doins "References/common/etc/dnscrypt-proxy-template.toml"

    dosym "$(which wg-quick)" "opt/ivpn/wireguard-tools/wg-quick"
    dosym "$(which wg)" "opt/ivpn/wireguard-tools/wg"
    dosym "$(which obfs4proxy)" "opt/ivpn/obfsproxy/obfs4proxy"
    dosym "$(which dnscrypt-proxy)" "opt/ivpn/dnscrypt-proxy/dnscrypt-proxy"

    if  use systemd;  then
        systemd_dounit "${FILESDIR}/ivpn-service.service"
    else
        newinitd "${FILESDIR}/ivpn.initd" ivpn
    fi

    default
}
chris-stones commented 11 months ago

I just looked at 351eeda29f2a3763b92776c4c8483f00572b6fc6.
I wasn't advocating adding the vendor folder to git.

I had imagined that this would be a 1 liner in the source tarball deploy script?

running go mod vendorbefore creating and uploading the tarball?

But... yes.. if its more complicated than this, please ignore.. I suspect you might not have a massive gentoo customer base .. we are a rare breed :+1:

Thanks.