mario-eth
commented
1 month ago Hey,
Currently, the dependencies are pulled from npm and pushed to soldeer central repository using npm, the crawler is run by me. using this code: https://github.com/mario-eth/soldeer-crawler The goal is to transfer the project to the teams that maintain the projects and them to publish to soldeer the same way they are published to npm. Furthermore, during install in the soldeer lock a sha is generated that can be verified against the same files on the dependency.
I totally agree that one should not trust the soldeer maintainers to publish the right sources but until the projects are willing to do that I have to push them. Will update the readme and will add a warning to the every project to say that they are pulled and maintained by the soldeer maintainer
Amxx
https://soldeer.xyz/ mentions that it support, among other, @openzeppelin-contracts and @openzeppelin-contracts-upgradeable.
Has maintainers of this project, we are curious how our code is being retrieved when a user does:
That last option would be dangerous in our opinion. We want to ensure our users that they get code that was not tampered with, and that can be trusted.
Ideally they would only ahve to trust us. The current solution imply trusting either npmjs.com, or github, both of which are ok to most user (even though its not ideal). Trusting soldeer.xyz, or trusting a comunity maintainer that push code to soldeer.xyz, is very different IMO to trusting npm or github.
We'd like to understand the process more (and we think that should be very clearly documented on https://soldeer.xyz/project/@openzeppelin-contracts), so that we can inform our users accordingly.