Open kpcyrd opened 4 years ago
tarcieri
commented
4 years ago I had a (rather "ambitious") idea of how this could be done using BFT consensus around quorum builds:
https://github.com/iqlusioninc/synchronicity/blob/develop/README.md#about
A simpler approach would be to log to something like Google Trillian.
SantiagoTorres
commented
4 years ago I'd love to explore the possibility of using BFT. I think the question regarding trillian would be to create a profile, which is something we've explored of doing in the in-toto team...
tarcieri
commented
4 years ago I think the question regarding trillian would be to create a profile
Trillian "Personality", but yes
https://github.com/google/trillian/blob/master/docs/Personalities.md
The Golang "SumDB" uses one for this purpose, I believe:
https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md
Foxboron
commented
4 years ago I personally have some motivation to look into the sumdb code from golang. It's frankly simpler then the trillian monstrosity using grpc and god knows what.
tarcieri
commented
4 years ago @Foxboron sumdb uses Trillian:
https://blog.golang.org/module-mirror-launch
The checksum database is served by sum.golang.org, and is built on a Transparent Log (or “Merkle tree”) of hashes backed by Trillian. The main advantage of a Merkle tree is that it is tamper proof and has properties that don’t allow for misbehavior to go undetected, which makes it more trustworthy than a simple database. The go command uses this tree to check “inclusion” proofs (that a specific record exists in the log) and “consistency” proofs (that the tree hasn’t been tampered with) before adding new go.sum lines to your module’s go.sum file. Below is an example of such a tree.
Foxboron
commented
4 years ago Wait, what. Now I'm confused by what the mod/sumdb is suppose to contain. There is no traces of trillian anywhere in their github org. Is the backend proprietary?
tarcieri
commented
4 years ago It contains a client for verifying go.sum attestations as served from https://sum.golang.org. See the API here:
https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md#checksum-database
The verifiable log behind https://sum.golang.org is managed by Trillian. I'm not sure if the personality they're using is open source or not (I can't find it quickly, but have pinged the relevant people)
Foxboron
commented
4 years ago Right, so I checked the gopher slack and it is indeed proprietary. It's apparently "not a lot of code" on top of trillian, but the storage code is heavily tied to what I assume is GCP and the storage there.
That is a bit unfortunate I think.
In extension to #12 there should be a tamper resistant log, similar to certificate transparency.