serai-dex / serai

Other
264 stars 49 forks source link

Supply chain integrity #317

Open kayabaNerve opened 1 year ago

kayabaNerve commented 1 year ago

We have roughly 1000 dependencies in the Serai node, all which we have to be sure of.

One of the main things I want to prioritize is reduction of that amount of dependencies, primarily via reduction of Substrate itself (tracked in #28).

If we want to remove all dependency duplication, we're looking at extensive patch sections, or even a MITM git proxy which will auto-patch as we want.

315 would be a great first step to ensuring the actual integrity of crates.

We also need to make sure all crates have their source properly published. wyz, a dalek dependency, was unpublished on GH for almost a year.

And then Substrate hasn't been audited...


If we can't be confident in our supply chain, we probably want to implement a rate limiter to outbound transactions (possibly of independent interest).

kayabaNerve commented 1 year ago

Tools I've identified as potentially worthwhile:

https://github.com/aquasecurity/trivy https://github.com/davidlattimore/cackle https://github.com/rust-secure-code/cargo-supply-chain

I'd also like to write code, potentially as a cargo deny extension, for https://github.com/EmbarkStudios/cargo-deny/issues/348. If the commit is available, ideally it's also checked to be on the default branch to ensure visibility.

kayabaNerve commented 1 year ago

Our lockfile massively over-reports due to pulling in crates for features unused (it includes blake3 due to cid despite never importing cid with the blake3 feature, and a bunch of garbage thanks to webrtc). I'd appreciate seeing a list of packages based on actual use, so we only have to establish trust levels for those.