maintainer tooling: Links for projects?

Question

maintainer tooling: Links for projects?

Opened this issue 4 years ago · 6 comments

Would it make sense for projects to link to the appropriate entry on the log for releases?

Could we create a subcommand that spits out some text with the hashes and a link to the log that maintainers can paste into the release notes?

Answer 1 · 2020-08-13T19:17:53.000Z

I think it is best if projects suggest using tl in their release notes. Linking to the log doesn’t provide a ton of value because:

the user still needs to manually use shell scripts or something to generate a digest and verify their file just like a SHA256SUM file
the user is unlikely to verify the log entry signature
the user won’t be able to validate the log entry is included in the transparency log against the /latest log head

I have been thinking about a helper tool that generates tl get and tl validate lines based on a github release. Maybe we could create a new helper tool for those sorts of things.

Also, just writing a doc on how to tell users how to use the tool would be a good idea.

Answer 2 · 2020-08-21T14:03:13.000Z

@amouat I created a GitHub action that automatically adds a project’s release assets if you want to add this to your projects: https://github.com/marketplace/actions/publish-release-assets-to-asset-transparency-log

Answer 3 · 2020-08-21T14:39:16.000Z

Let me take a look!

I've been meaning to get back to you about this. I still would like to see checksums on the downloads page so that people with old-skool leanings can use existing tools to verify checksums without tl. I think if we can show the checksum matches the checksum on an external site with guarantees on immutability it still provides a level of a reassurance (an attacker can't update the checksum on an existing release, they'd probably have to create a whole new release). Not sure if that makes any sense.

So what I'd still like to see is a human friendly web page on the log that shows the checksums and historic releases for a binary. Again, maybe this just doesn't make sense.

Answer 4 · 2020-08-21T14:49:19.000Z

@amouat

What if I added a URL endpoint to the service that would enable something like:

curl https://beta-asset.transparencylog.net/sha256sum/github.com/transparencylog/tl/releases/download/v0.2.12/tl_0.2.12_darwin_x86_64.tar.gz > SHA256SUM
sha256sum -c SHA256SUM
tl_0.2.12_darwin_x86_64.tar.gz: OK

Would that be something you are interested in?

Alternatively I could add a subcommand

tl generate-sha256sum https://github.com/transparencylog/tl/releases/download/v0.2.12/tl_0.2.12_darwin_x86_64.tar.gz > SHA256SUM
sha256sum -c SHA256SUM

Answer 5 · 2020-08-21T16:09:01.000Z

I think that endpoint makes a lot of sense, even if it's just referred to in documentation and doesn't see much usage - it makes it clear what's happening behind the scenes with tl.

I do worry that the need to trust the tl binary will put some people off.

Answer 6 · 2020-08-21T16:27:20.000Z

@amouat OK, I will think about that feature.

There is a verify script written in bash that is available right now: https://github.com/transparencylog/tl/blob/main/utils/asset-transparency-lookup-verify