← Back to context

Comment by notepad0x90

9 hours ago

I don't think you've addressed the requirement of having to execute the software, that was my main objection.

Another matter is that most software I know of doesn't even use lock files. Furthermore, there are lots and lots of software that would need to be updated to support your scheme, but updating them just isn't practical. It would have to be relegated to the type of software that gets regularly updated and its authors care about this stuff. I mean, we can't even get proper software authors to host a security.txt on their website reliably. It needs to work for "old" software, and "new" software would need to spend time and effort implementing this scheme. How can we get people that won't even sign their executable to sign a lock file and participate in the verification process?

1 comment

notepad0x90

Reply
baobun  1 hour ago

> I don't think you've addressed the requirement of having to execute the software, that was my main objection.

I believe I did:

> This can all be verified at any point in the lifecycle without running any of the code, provided a network connection and/or the module cache.

It does not require a JS runtime[0] - you fetch a tarball and check its integrity. You can extract it and validate the integrity of a module cache or (non-minified) distribution.

> Another matter is that most software I know of doesn't even use lock files.

I don't believe the goal should be to lower the bar until "most software I know" pass. And you don't need all the libraries you depend on to ship lockfiles/SBOMs themselves as long as you take ownership of it wrap it up in your own builds and installations, right? Besides, lockfiles are definitely the norm in js/npm land these days from what I see...

[0]: If you have a dependency with a lifecycle script which at runtime say downloads, builds and installs new components into the module tree then all bets are off. If you are doing SBOMs for anything more than theatrical checkbox compliance, such (usage of) dependencies should already have been yeeted before you got here and if not, well, I guess you have work to do. If you get to this point I'd say the process is serving its purpose in forcing you to face these.