Packages should be built from source

Question

Packages should be built from source

Opened this issue 10 months ago · 3 comments

There is a lot of verification done to make sure that a thing that is downloaded is definitely a thing that is uploaded, and that someone is allowed to upload something.

This design takes inspiration from programming language package managers, where packages can be verified by reading the source code.

However this is very different, we want to securely distribute binaries, which aren't human readable. This is something Linux distributions are good at, read https://wiki.debian.org/SourceOnlyUpload.

How I think it should work:

Maintainer figures out how to build a package locally.
Maintainer uploads signed files:

where to get the upstream source
bindings for the source
how to build the source
which files to distribute

And if the build is reproducible a signed checksum for the resulting binary(s).

I would take inspiration from arch's "PKGBUILD" here. Those are relatively short and easy to verify. Alternatively a simple template for a Dockerfile would also work.

Then a registry builds and verifies the package from source.
User downloads and verifies a package. Reproducible builds would be important here, otherwise verification is close to impossible, maybe non-reproducible packages could be built from source instead (using docker).

Otherwise if Maintainers upload binaries it is hard to verify, that they don't just ship straight up malware.

Without building from source the other security measures amount to security theater. The only verified fact is: this version is from the same random guy who uploaded the last version.

Sorry if this comes across as a little blunt, I want WASI to succeed and it's not going to if dependencies can't be easily verified.

Answer 1 · 2023-12-12T14:37:21.000Z

Reproducible and authenticated builds are an excellent goal for the Wasm ecosystem but in terms of implementation mostly outside of the scope of this specific project. We are planning to add pluggable package verification; one clear use-cases for that would be verification of package signatures from a build system. That build system is what would be responsible for the kind of process you describe.

While it is true that securing the delivery of binary packages from publisher to consumer only covers part of the supply chain, it is an important link in that chain.

Answer 2 · 2023-12-12T19:59:17.000Z

While listening to this talk https://youtu.be/1QbfKzQgD0E, where possible attacks on the ecosystem were mentioned, I was surprised to not find any mention of possible malicious Maintainers.

I was a bit worried that maintainers will be just absolutely trusted in this model, I'm glad to hear there is already some kind of idea how this could be mitigated.

In my view although package signing is also nice to have, authenticated builds are absolutely essential.

Answer 3 · 2023-12-12T21:35:47.000Z

Reproducible / verifiable build from source is a desirable property for package distribution. I was thinking it can be implemented by CI/CD type of services that publish on top of the Warg protocol.