Comments (5)
On the surface, this seems reasonable and useful from at least a mirroring point of view (as it's a bit tricky to mirror currently).
However it is a bit more complicated. The data in the API allows many Homebrew commands to work offline and significantly faster, such as brew deps
, brew info (--json)
, etc. As more concrete examples: the requirements list is useful to fail fast if something isn't supported on your OS, and dependency tree is ideal to know ahead of time as we fetch everything before parsing.
There's also a security element. We sign the API JSON so it cannot be tampered with by mirrors. No independent protection exists for manifests (it's covered by the bottle sha256s being included in the signed API JSON).
I would like to lean on the manifests more overall, but only if it doesn't degrade the above.
from brew.
There's also a security element. We sign the API JSON so it cannot be tampered with by mirrors. No independent protection exists for manifests (it's covered by the bottle sha256s being included in the signed API JSON).
This is my main concern here, too.
from brew.
However it is a bit more complicated. The data in the API allows many Homebrew commands to work offline and significantly faster, such as brew deps, brew info (--json), etc. As more concrete examples: the requirements list is useful to fail fast if something isn't supported on your OS, and dependency tree is ideal to know ahead of time as we fetch everything before parsing.
I'm not proposing getting rid of the API or its data, I am proposing that the exact same data should be stored alongside the bottle in the container registry.
There's also a security element. We sign the API JSON so it cannot be tampered with by mirrors. No independent protection exists for manifests (it's covered by the bottle sha256s being included in the signed API JSON).
OCI artifacts can be signed and verified in a similar way to how Homebrew signs the API JSON, Notary and cosign are both established standards for signing and verifying OCI artifacts.
from brew.
I'm not proposing getting rid of the API or its data, I am proposing that the exact same data should be stored alongside the bottle in the container registry.
How would a client (e.g. Hops) know what formulae are available without using the API here?
Notary and cosign are both established standards for signing and verifying OCI artifacts.
TIL, thanks.
I think that signing would be a hard requirement on our end for either this or #17837. It might be the best first step, here.
from brew.
OCI artifacts can be signed and verified in a similar way to how Homebrew signs the API JSON, Notary and cosign are both established standards for signing and verifying OCI artifacts.
JFYI: We don't do it at the OCI layer, but Homebrew does indeed use Sigstore (the stack under cosign
) to attest to all of its (core) bottles: https://github.com/Homebrew/homebrew-core/attestations.
(Not sure if this is relevant to you; I just noticed the cosign reference 🙂)
from brew.
Related Issues (20)
- `TypeError: Parameter 'cmd': Expected type String, got type Pathname with value`
- cmake ninja dfu-util HOT 2
- brew.sh website not accessible from the Philippines HOT 3
- Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials HOT 5
- Documentaion: How-To-Open-a-Homebrew-Pull-Request.md - add cleanup instructions HOT 1
- Documentaion: How-To-Open-a-Homebrew-Pull-Request.md - missing info about `brew create` HOT 1
- brew link against non-existing formula causes uninitialized constant error HOT 2
- Investigate resource-ification of Rust dependencies with `cargo vendor` HOT 2
- getpwuid function doesn't work with LDAP users on Linux HOT 1
- Formula auditor's Formula version check falls through to Resources version check
- Make a RuboCop to recommend `bin/"foo"` over `"#{bin}/foo"`
- systemd brew.rb "Error: no implicit conversion of false into String" error HOT 2
- Push `latest` tag for bottles HOT 3
- Rosetta 2 caveat is shown on Intel Mac HOT 6
- brew --repository now prefixes "homebrew-" to tap directory
- Could not update to 4.3.10 HOT 12
- Homebrew cleanup message appearing after every command HOT 4
- Forbidden Casks Error Message HOT 2
- `brew install --quiet` does not suppress warnings for casks HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brew.