search

lightningnetwork / lnd

Lightning Network Daemon ⚡️
MIT License
7.72k stars 2.09k forks source link

Use pinned SHA for the bitcoin-core #5720

Open naveensrinivasan opened 3 years ago

naveensrinivasan commented 3 years ago

https://github.com/lightningnetwork/lnd/blob/777abe5ff00707fbce0c58a4536cffebd055db25/scripts/install_bitcoind.sh#L5

The ruimarinho/bitcoin-core:0.20.1 is pinned by a tag. Tags can be moved and are also susceptible for supply chain attacks. It is recommended to pin by sha

More information on https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

crane digest ruimarinho/bitcoin-core:0.20.1
sha256:fbf95b4134cd2f35a3cfe3c26feb89e72103234220fd7f2804ec9d3d91880a2b

For example, the above can be pinned by SHA using something like https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_digest.md

Here is an example of using the SHA instead of tag https://github.com/ossf/scorecard/blob/4c4fb61d5106e39988dce8c277a8575d939a83e7/cron/worker/Dockerfile#L15

naveensrinivasan commented 3 years ago

https://twitter.com/peter_szilagyi/status/1437646118700175360

A recent supply chain attack.

naveensrinivasan commented 3 years ago

I am working on a PR for this.

guggero commented 3 years ago

This is definitely something we should fix! Even though this is currently only used for integration tests, other users of the repo might rely on this script so we should make it safer to use.