pocketnetteam / roadmap

This repository hosts the Bastyon Roadmap and related documents that explain problems to be solved and proposals for their solutions.
1 stars 3 forks source link

Distribution of code and binary files #2

Open andyoknen opened 1 month ago

andyoknen commented 1 month ago

I suggest discussing options for solving the problem of delivering installation packages to end users. The details are described in my explainer

gked commented 4 weeks ago

I think it's a step in the right direction because it enables Bastyon project participants to drop their dependency on centralized solutions.

What did you mean in your post about making it mandatory? Is this about making code publishing to IPFS only? How do you foresee of using Bastyon as part of the solution? Something along the lines below?

Scenario 1: Developer Publishing Flow

  1. Developer builds release binary
  2. Uploads to IPFS/Bastyon storage
  3. Creates release record on Bastyon with:
    • Binary hash
    • IPFS location
    • Version info
    • Their signature
    • Build instructions/environment specs
  4. Other developers:
    • Download source
    • Verify they can reproduce the binary
    • Review code changes
    • Add their signatures if approved
  5. Once threshold of signatures reached, release becomes "official"
  6. Release record updated with all signatures and proofs

Scenario 2: Recovery/Rollback Management

  1. Network maintains:
    • Complete version history
    • All signatures for each version
    • Build verification proofs
    • Known issues/security alerts
  2. Organizations can:
    • Roll back to any verified version
    • See who signed each version
    • Verify the integrity of old versions
    • Check security history
  3. Emergency procedures:
    • Revocation of compromised signatures
    • Quick deployment of security fixes
    • Alert system for critical issues
    • Coordinated rollback procedures

End User Scenario 3: Standard User App Download

End User Scenario 4: Auto-Update Flow

andyoknen commented 4 weeks ago

@gked I think distribution via IPFS is not necessary, because the current IPFS network is not stable, and we do not have enough independent nodes to create a reliable network. Overall, I think github looks good in the short term. The main thing is the process of passing the baton between developers - how to solve the problem of parallel signature?