Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a bundle auditing tool (endo unbundle) #1656

Open
kriskowal opened this issue Jun 28, 2023 · 8 comments
Open

Create a bundle auditing tool (endo unbundle) #1656

kriskowal opened this issue Jun 28, 2023 · 8 comments
Assignees
Labels
kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024

Comments

@kriskowal
Copy link
Member

kriskowal commented Jun 28, 2023

For the purposes of verifying the content and integrity of a bundle, as motivated by the need to audit governance proposals with Agoric chains, we need a tool that can verify the integrity of a bundle and extract it to the file system so an auditor can inspect the full working set of sources, without the distraction of adjacent files from the original source tree, notably in the absence of source maps.

Currently, we have @endo/check-package which provides the implementation of the integrity check. We also have most of the tools necessary for extraction between @endo/zip and JSON.parse. We just need a CLI veneer. That could be an endo subcommand.

This would be a substitute for the manual advice for validating a bundle:

  • Verify that jq -r .moduleFormat bundle.json is endoZipBase64
  • Extract the zip file jq -r .endoZipBase64 bundle.json | base64 -d > bundle.zip (or the governance proposal can just refer to a zip file, or even a tarball)
  • unzip bundle.zip
  • sha512sum compartmetn-map.json must match the proposed bundle identifier!
  • In compartment-map.json, every module description must include a sha512 that matches the sha512sum of the corresponding .js.pre.json module file.
  • You can extract the readable source from each of the precompiled modules with jq -r '.__syncModuleProgram__' compartment/module.pre.js.json
@dckc
Copy link
Contributor

dckc commented Oct 6, 2023

I prototyped a web-based tool for exploring bundles after they are put on chain:

@kriskowal kriskowal self-assigned this Jan 8, 2024
@kriskowal kriskowal added the kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024 label Jan 8, 2024
@kriskowal kriskowal changed the title Create a bundle auditing tool Create a bundle auditing tool (endo unbundle) Jan 18, 2024
@dckc
Copy link
Contributor

dckc commented Jan 18, 2024

stretch goal: bundle diff... it would be nice if I went from marshal 0.6.1 to 0.6.2, it told me what the differences are, rather than saying "only in b2: 0.6.2"

@dckc
Copy link
Contributor

dckc commented Feb 17, 2024

More motivation:

@dckc

This comment was marked as resolved.

@dckc

This comment was marked as resolved.

@dckc

This comment was marked as resolved.

@dckc
Copy link
Contributor

dckc commented May 11, 2024

stretch goal: bundle diff...

I just discovered:

diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them. It can compare two tarballs, ISO images, or PDF just as easily.

@kriskowal
Copy link
Member Author

Here’s an “endo unbundle” implementation that will work on Mac.

function undo() {
  mkdir -p "$1" && jq -r .endoZipBase64 | base64 -d | tar xC "$1"
}

Usage:

undo bundle < bundle.json

mergify bot added a commit to Agoric/agoric-sdk that referenced this issue Jun 17, 2024
refs: #1656

## Description

Spike on endojs/endo#1656 @kriskowal , similar to https://github.com/Agoric/agoric-sdk/discussions/8416 @dckc 

Makes the core-eval metadata available to `agoric run` so it can report more to the user. cc @michaelfig 

Adds a `--verbose` flag to report:

<img width="687" alt="Screenshot 2024-06-13 at 1 46 28 PM" src="https://github.com/Agoric/agoric-sdk/assets/21505/b76b4d14-2fbd-45c2-b7a5-d94f964f2461">

Also a `scripts/stat-bundle.js` to stat a known bundle path.

### Security Considerations


### Scaling Considerations


### Documentation Considerations


### Testing Considerations


### Upgrade Considerations
mhofman pushed a commit to Agoric/agoric-sdk that referenced this issue Jun 20, 2024
refs: #1656

## Description

Spike on endojs/endo#1656 @kriskowal , similar to #8416 @dckc 

Makes the core-eval metadata available to `agoric run` so it can report more to the user. cc @michaelfig 

Adds a `--verbose` flag to report:

<img width="687" alt="Screenshot 2024-06-13 at 1 46 28 PM" src="https://github.com/Agoric/agoric-sdk/assets/21505/b76b4d14-2fbd-45c2-b7a5-d94f964f2461">

Also a `scripts/stat-bundle.js` to stat a known bundle path.

### Security Considerations


### Scaling Considerations


### Documentation Considerations


### Testing Considerations


### Upgrade Considerations
mhofman pushed a commit to Agoric/agoric-sdk that referenced this issue Jun 22, 2024
refs: #1656

## Description

Spike on endojs/endo#1656 @kriskowal , similar to #8416 @dckc 

Makes the core-eval metadata available to `agoric run` so it can report more to the user. cc @michaelfig 

Adds a `--verbose` flag to report:

<img width="687" alt="Screenshot 2024-06-13 at 1 46 28 PM" src="https://github.com/Agoric/agoric-sdk/assets/21505/b76b4d14-2fbd-45c2-b7a5-d94f964f2461">

Also a `scripts/stat-bundle.js` to stat a known bundle path.

### Security Considerations


### Scaling Considerations


### Documentation Considerations


### Testing Considerations


### Upgrade Considerations
mergify bot added a commit to Agoric/agoric-sdk that referenced this issue Aug 31, 2024
refs: #9900

## Description
This uses the new `--elide-comments` option in Endo bundle-source to… elide comments. Always.

Measured with:
```
cd a3p-integration
rm -f **/b1-*.json*
yarn build:submissions
du -csh **/b1-*.json
gzip **/b1-*.json
du -csh **/b1-*.json.gz
```

Before: 26M (6.7M gz)
After: 19M (4.1M gz)


### Security Considerations
No change in runtime. Does affect code auditability. Existing bundles are base64 encoded so readers will have to find the sources anyway. Either way we will need to invest in special tooling: endojs/endo#1656

### Scaling Considerations
reduces on-chain storage

### Documentation Considerations
End users who base64 decode the on-chain bundles will no longer see comments… I don't expect anyone was doing this.

### Testing Considerations
existing coverage

### Upgrade Considerations
won't affect any existing deployments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kriskowal-review-2024-01 Issues that kriskowal wants to bring to the attention of the team for review as of January, 2024
Projects
None yet
Development

No branches or pull requests

2 participants