Certified/Mandatory CI uploads #4332
Replies: 2 comments
-
We don't currently mandate the use of GitHub for projects, only for account creation (and account creation might not be GitHub-only forever). There are projects that host their code on gitlab, bitbucket, or personal websites. |
Beta Was this translation helpful? Give feedback.
-
Before cryptocurrency mining ruined everything, Docker had a neat model, in that you would register your public source repository within the public Docker Hub, and the Hub would register its own webhooks for notification when you committed to main, and it would use the Hub's own build/compute resources to read your source code, build your Docker file, and publish your image Because the full chain of custody from commit to registry was controlled by the Docket Hub, they could mark these images as such Now that public-good compute has been ruined forever, I suppose we need a new way to maintain this trust/chain-of-custody without relying on free compute resources |
Beta Was this translation helpful? Give feedback.
-
After the recent ESLint incident, there has been some discussion on how to prevent accidents like this.
Package registry tends to be very opaque since you will almost never inspect what code you download (but just build them directly). Thus, ensuring the integrity of the uploaded code is important, and one way to improve the transparency is to enforce upload from CI.
The concept is similar to reproducible builds, where you can have consistent artifacts with a given source. Although enforcing CI uploads doesn't require reproducibility, we can:
To present this to a user, I propose the following approach:
Edit: User may choose another hosted provider (if we support), like Bitbucket or GitLab.com. However, whether to support self-hosted Git solutions needs to be discussed, as it's easier to compromise than shared hosting services.
Cargo.toml
, thus the hash takes crate version into account)Beta Was this translation helpful? Give feedback.
All reactions