Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC for linking packages to their source and build #626

Merged
merged 39 commits into from
Nov 7, 2022
Merged

RFC for linking packages to their source and build #626

Changes from 1 commit
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
6e6ec6c
RFC for linking packages to their source and build
feelepxyz Aug 8, 2022
8677dcf
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 8, 2022
9d6d28e
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 8, 2022
3432621
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 8, 2022
620b247
Addressing PR comments
feelepxyz Aug 8, 2022
aec5894
certs > certificates
feelepxyz Aug 8, 2022
3833cb4
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 9, 2022
821e639
Clarify provenance
feelepxyz Aug 9, 2022
849b928
Add Jenkins comparison
feelepxyz Aug 9, 2022
956afb4
Add tuf repo and root
feelepxyz Aug 9, 2022
147777d
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 9, 2022
5ed0772
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 9, 2022
78a7ee7
Rename CLI arg
feelepxyz Aug 9, 2022
262a0b3
Add Circle and GitLab to env table
feelepxyz Aug 9, 2022
0c69e1c
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 9, 2022
6b77dc9
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 9, 2022
da8a901
Add note on sct and slsa prov verifier
feelepxyz Aug 9, 2022
7c1b9ed
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 9, 2022
ce838d5
Update sequence diagram to include id token req
feelepxyz Aug 9, 2022
996b6d5
Fix ref to reverse proxy
feelepxyz Aug 9, 2022
fdf8d9d
Clarify sigstore conf is from the configured reg
feelepxyz Aug 9, 2022
ab81e1c
Add note about perf benchmark
feelepxyz Aug 9, 2022
718650a
Add note about commitments
feelepxyz Aug 10, 2022
edb7937
Add section on long-lived ci/cd secrets
feelepxyz Aug 11, 2022
3a030f9
Add a summary to implementation details
feelepxyz Aug 11, 2022
a2c45c2
Update provenance generation
feelepxyz Aug 11, 2022
65e2a91
Clarify sigstore-js env support
feelepxyz Aug 11, 2022
6f67e0b
Add section on additional events
feelepxyz Aug 11, 2022
90c3673
Add section on unanswered questions
feelepxyz Aug 11, 2022
44d0c62
Add note about audit sig
feelepxyz Aug 11, 2022
fff96cd
Expand Web PKI
feelepxyz Aug 15, 2022
be4ecba
Expand CAs
feelepxyz Aug 15, 2022
4927444
Run a transparency log monitor for Rekor
feelepxyz Aug 18, 2022
17aa6a7
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Aug 19, 2022
842db1e
Update non-goals and trusted builder
feelepxyz Aug 25, 2022
0715e14
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz Oct 12, 2022
16822dd
Merge remote-tracking branch 'origin/main' into link-packages-to-sour…
feelepxyz Oct 25, 2022
9bfdb52
Add note about travis credits
feelepxyz Oct 25, 2022
53e2206
Sigstore GA, release > publish attestation
feelepxyz Nov 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 11 additions & 9 deletions accepted/0000-link-packages-to-source-and-build.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,12 @@ Open source maintainers must be able to link their packages to the source and bu
## Non-goals
- Support for private/inner-source packages to begin with.
- Our primary goal is to link packages hosted on the npm registry to the source and build it originated from, for this to be broadly useful, the source code and build need to be publicly available. We're committed to eventually supporting private use cases.
- Support for self-hosted CI/CD systems.
- Support signing from self-hosted CI/CD systems.
- Support signing from local machines or laptops.
- The initial goal does not support signing from your local laptop as our primary aim is to link the package to the source repo it was published from. There's no scalable way of making sure this source information isn't falsified when it comes from a local machine.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you elaborate here on why a local machine that i can configure is different than a CI machine that i can configure?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a state space problem. A CI/CD system that is hosted immutably and can be verified/audited will be simpler to reason about compared with a laptop that usually has lots of arbitrary stuff installed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Supporting signing from both CI/CD and local machines increases the scope of the initial work quite a bit so we've decided to just start with signing from CI/CD as the identity solution (OIDC id tokens issued by the CI provider) does not extend to local machines.

There are ways we can support signing from local machines in future, e.g. using proof of email linked to a maintainer but this gives different guarantees than signing from CI/CD.

Related to this, my hope is that all public packages are eventually published from open, auditable and automated systems with all the other benefits this brings like ephemeral environments and the ability to prove what went into a build. Maybe I'm deluding myself on the possibility of this though? 🤔

I also think the experience and selection of automated build systems could be vastly improved to make publishing from one as easy as toggling a button or two on whatever source control system you might use that just works with the package setup/registry and versioning scheme you use.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@feelepxyz the possibility is only there if the community freely decides to make that move - and it’s not a free decision unless the existing mechanisms are equally privileged.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related to this, my hope is that all public packages are eventually published from open, auditable and automated systems with all the other benefits this brings like ephemeral environments and the ability to prove what went into a build. Maybe I'm deluding myself on the possibility of this though? 🤔

I think there are two reasons why this is challenging:

  • exploration - whether from someone just learning JavaScript or from someone just exploring a new solution to a problem they have, this adds barriers and weight.
  • tooling - currently, npm simply does not provide the necessary tools that make such automated publishing safe and reliable for anyone operating past a certain scale or who requires a certain level of trust.

I agree that things could be dramatically easier. Unfortunately that does require substantial investments, and it is seemingly often very challenging for certain teams to actually secure the necessary resources to be able to accomplish the outcomes that are required to achieve that ease.

- Linking already published packages to their source repository to detect if a published package might have untracked changes.
- The idea here would be to attempt to rebuild an already published package from the source defined in the `package.json` and create a signed link if the source matches the published package. This would give some of the same benefits as described in this RFC for existing packages without any effort from the maintainer.
- Supporting legacy packages isn't planned as part of the initial work but something we remain open to exploring in the future as we see this being built on top of the capabilities we would be adding here. This proposal lays out the building blocks for signing metadata about a package (attestations) that we can build on.
- Mitigate every possible supply chain attack against the npm registry. For example:
- Registry/mirror/proxy MITM attacks
- Denial of service attacks against the registry or client from a compromised mirror/proxy
Expand Down Expand Up @@ -435,7 +440,11 @@ Non-falsifiable provenance information is a [requirement to reach SLSA level 3](

Using a trusted builder to publish an npm release will ensure a higher level of build integrity. Using it will be optional, but highly recommended. Verification of build provenance will include checks to determine if a trusted builder was used.

At a high level, the trusted builder will checkout the git repo, install dependencies and execute `npm run build` followed by `npm publish`. Maintainers can only control what is run during `npm run build` not add or remove steps from the trusted builder. Provenance generation will be run in a separate workflow step that's isolated from the build and install.
At a high level, the trusted builder will checkout the git repo, install dependencies and execute a user supplied build command (e.g. `npm run build`) followed by `npm publish`.

The primary function of the trusted builder is to know what went into the build (inputs, environment variables etc) and what commands where run. See this [provenance example from the slsa-github-generator for a go project](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/go#provenance-example).

Maintainers can only control what is run during the build and not add or remove steps from the trusted builder.

Using the trusted builder does not guarantee that your project has reached SLSA level 3. This could be achieved on a case-by-case basis by auditing the build scripts, making sure no untrusted scripts are fetched from outside the source repo and executed.

Expand Down Expand Up @@ -602,13 +611,6 @@ It's technically possible to use something like this to produce verifiable build

Implementation for verifying [SLSA Provenance](/Users/feelepxyz/src/github.com/npm/rfcs/accepted/0000-link-packages-to-source-and-build.md). It currently supports verifying provenance generated by the [SLSA generator for Go projects](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/builder_go_slsa3.yml).

## Unanswered questions

- How could we support legacy packages that might not be maintained anymore?
- Would it be possible to backfill "provenance" on packages where code in an existing repository link defined in `package.json` can be matched against the published package?
- It seems theoretically possible to backfill provenance if the source can be matched but doing this reliably is not a solved problem and would require fine tuning heuristics to build the package and find the corresponding release, for example inferring typescript compilation and finding the release via tags on the repo.
- Supporting legacy packages isn't planned as part of any initial work, it's also not clear if it would be worth the engineering effort.

## Glossary

Overview of the tools, techniques and terms used throughout this RFC document.
Expand Down