Verifying the validity of the `validate` binary

leogdion / PackageListValidator

A tool for validating the SwiftPM Library/Swift Package Index master package list.

MIT License

1 stars 0 forks source link

Verifying the validity of the `validate` binary #16

Open daveverwer opened 4 years ago

daveverwer commented 4 years ago

Now that the PackageList repo has a binary version of validate, we may get some questions around how trustworthy that is. We know that it's compiled directly from the source in this repository, but other people might not be willing to take our word for it.

Technically I don't even know whether that binary did come from this source! I have no doubts, but it's coming down to trust.

We should discuss what we do to put people's fears to rest. I'm open to all suggestions, from something as simple as a checksum that we ship in the PackageList repository, to something more fundamental. I know @finestructure has some views on this so please do chime in.

Also, script.sh now downloads a binary, executes it, and deletes it. That's technically no more risky than what it did before, but it somehow feels it! 😬 Do we know if anyone is using this script? I'd maybe feel happier if we didn't have this script be part of the PackageList repository.

leogdion commented 4 years ago

I use the script in my CI scripts:

...
      run: curl -s https://raw.githubusercontent.com/SwiftPackageIndex/PackageList/main/script.sh | bash -s -- mine

However I don't the script is necessary at all. I could easily run it via something like mint on my CI since it's a swift package.

I'm not sure the best way users can use the checksum. Perhaps if I included the binary as a zip and used GitHub releases for the checksum but I am open to suggestions as well.

daveverwer commented 4 years ago

However I don't the script is necessary at all. I could easily run it via something like mint on my CI since it's a swift package.

Or even just have this script in your repository. Let's remove it from the PackageList repo as soon as is convenient for you.

I'm not sure the best way users can use the checksum. Perhaps if I included the binary as a zip and used GitHub releases for the checksum but I am open to suggestions as well.

I think doing releases would be a great idea, regardless of the checksum issue. 👍

leogdion commented 4 years ago

Or even just have this script in your repository. Let's remove it from the PackageList repo as soon as is convenient for you. Agreed. I'll remove it

I think doing releases would be a great idea, regardless of the checksum issue. 👍

Is there a way rather than committing the binary here, we just use the latest release and then folks can run a checksum off of the zip file?

daveverwer commented 4 years ago

Do you mean not including the binary in the PackageList repository, or in this repository?

leogdion commented 4 years ago

including a zip in the GitHub release and not in the PackageList repository

daveverwer commented 4 years ago

How would people run validate on PackageList?

leogdion commented 4 years ago

Create a script 😂 I am open to ideas but that's the only thing I can think of if we really want to validate the release. The script would:

download the zip from the latest release
check the zip file with a hard-coded SHA
unzip the file
run the executable and pass the arguments (diff, all, mine, etc...)