rebuilding Maven Central Repository artifacts: welcome reproducible-central
Arnout Engelen
arnout at bzzt.net
Fri Apr 3 12:26:36 UTC 2020
On Fri, Apr 3, 2020 at 1:06 PM Julien Lepiller <julien at lepiller.eu> wrote:
> something that could help guix is a relation groupid/artifactid -> source
This is indeed an interesting topic.
Artifacts published under a groupid/artifactid typically have a
pom.xml with an 'scm' section pointing to the sources (for example
https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.13/2.6.4/akka-actor_2.13-2.6.4.pom
).
I think we might need to be careful not to blindly trust that
information: if we would blindly download those sources and rebuild
them, an attacker could point that 'scm' section to his backdoored
version of the application, and the rebuilder would rebuild them -
backdoor-and-all. Still better than not having that at all, but it
would be a shame if that'd go unnoticed.
When publishing a buildinfo file alongside the other artifacts (like
for example https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.13/2.6.4/akka-actor_2.13-2.6.4.buildinfo
), that buildinfo also has an scm section. I wonder if we should
define that to be interpreted just as "these are the sources I
happened to build", or stronger as "I assert that this is a correct
source location for the project"?
This could also be one contribution of the fact that
reproducible-central has its own 'buildspec' (e.g.
https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/github/derkrischan/jpdftest/jpdftest-0.8.0.buildspec
): introducing that buildspec gives us another source of information
on what the correct location for the sources for that project is - and
when someone uploads a new buildspec, that might be a natural moment
to validate this.
What do you think?
Arnout
More information about the rb-general
mailing list