mi6 / ic-ui-kit

Intelligence Community UI Kit (based on StencilJS)
MIT License
27 stars 29 forks source link

Generate hash during the build chain to verify content is unchanged #2428

Open mi6-577 opened 2 months ago

mi6-577 commented 2 months ago

Summary

In order to provide some assurance that downloads of the ICDS are 'untampered', we should provide a hash number at the point of releasing a new build.

💬 Description

A hash number is unique to the build and can be used by customers to verify that their download has been untouched.

Why do we need it?

Further reading on why hashes are important for open source code can be found here; https://proprivacy.com/guides/how-why-and-when-you-should-hash-check

evenstensberg commented 2 months ago

Do you need this to be on release/package distribution level? That makes sense.

If you release via github in addition to npm, they do validation.

evenstensberg commented 2 months ago
evenstensberg commented 2 months ago
evenstensberg commented 1 month ago

possible implementation

Screenshot 2024-10-07 at 20 36 12
evenstensberg commented 1 month ago

I've managed to get the needed data available within the scope of the web components, but not added to the window object. It seems like that is removed on build.

@GCHQ-Developer-299 I have a suggestion:

Maybe you should add a stencil component named ic-stats where the customer can import that component to get version number, build time and hash themselves?

If so, I can set up a simple PR that shows you how to access the variables - it's pretty straight forward.