Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comparing gem's source code on source repository and what's inside the .gem in rubygems #1943

Open
localhostdotdev opened this issue Apr 3, 2019 · 3 comments
Open

Comparing gem's source code on source repository and what's inside the .gem in rubygems #1943

localhostdotdev opened this issue Apr 3, 2019 · 3 comments

Comments

@localhostdotdev
Copy link

localhostdotdev commented Apr 3, 2019
edited
Loading

Hi,

I think that would be great to have some kind of "reproducible builds" (like Debian does).

  • Uploaded gems can provide a source repository already (typically github)
  • From this, the gem could be built from source (from git tags ideally, or maybe some heuristics by looking at the last commit that updated the version)
  • Then checksum of the built gem (if building it succeeds) could be compared to the checksum of the published gem
  • Users could ask for "safe" gems only in their Gemfile (could become the default possibly once most popular gems have reproducible builds) (and could add exceptions for usafe gems)

This doesn't totally prevent issues like hidden backdoors but could be a good step (the attacker would need commit access on Github and push access on rubygems).
@greysteil greysteil mentioned this issue Apr 5, 2019
Closed
@greysteil
Copy link
Contributor

Thanks for this. I'm not a rubygems maintainer, but have a big interest in this issue (I run Dependabot, which creates dependency update PRs on GitHub and links to the source code diff for those updates).

I'm super keen to help in any way on this one. If we need to link up with folks at GitHub then I work with them pretty closely thanks to Dependabot. If we want a third party to do the work of gem verifying then Dependabot could do that work (there's already an issue on our feedback repo suggesting that). If it needs a bunch of engineering time then I can put in time on this.

@baburdick baburdick mentioned this issue Apr 5, 2019
Open
@rubyFeedback
Copy link

It's a great idea. My only minor concern is that this interconnects (and thus mandates) GitHub, but not everyone on rubygems.org may have (or want) to have an account at GitHub.

I understand that third party may mean less work though. If possible, my personal favourite here would be to be able to do so through the account on rubygems.org - what is done behind the scene would then be not so important (for me as a user), but I think it would be fairly bad if users would be forced to have multiple accounts at several separate/disparate websites.

@dependabot-preview dependabot-preview bot mentioned this issue Nov 17, 2019
Merged
@simi
Copy link
Member

simi commented Nov 11, 2023

If I understand it well, this would be fixed by adopting SLSA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simi @greysteil @rubyFeedback @localhostdotdev