You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Given the recent events, I don't want to trust releases of open-source projects.
For example, pip install tree-sitter-python downloads and extracts a wheel that contains many Python files and one binary file _binding.abi3.so. How can I be sure that _binding.abi3.so was built from https://github.com/tree-sitter/tree-sitter-python without backdoors or other "great new features" added?
Here's what I did:
Made a new private repo and pushed contents of tree-sitter-python at tag v0.21.0 there
Using git commit logs, find the latest commit of tree-sitter/workflows at the time of releasing tree-sitter-python v0.21.0
Copy the build steps from that commit of tree-sitter/workflows to my private fork. Disable macos-13 because it no longer works.
Run the build in GitHub Actions on my private fork
Download and extract the wheel file built in GitHub Actions
Compare my binary file and the binary from pypi --> the file contents are exactly the same.
This works, but it's a pain, especially if I use many tree-sitter-foo packages that are all built individually. It also doesn't work if the build used something that no longer exists, e.g. macos-13.
Maybe we could print the hashes of all source files at the start of the build, and print the hash of the binary file at the end of the build? This would make verifying much easier.
This discussion was converted from issue #249 on June 01, 2024 20:43.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Given the recent events, I don't want to trust releases of open-source projects.
For example,
pip install tree-sitter-python
downloads and extracts a wheel that contains many Python files and one binary file_binding.abi3.so
. How can I be sure that_binding.abi3.so
was built from https://github.com/tree-sitter/tree-sitter-python without backdoors or other "great new features" added?Here's what I did:
tree-sitter-python
at tagv0.21.0
theretree-sitter/workflows
at the time of releasing tree-sitter-python v0.21.0tree-sitter/workflows
to my private fork. Disablemacos-13
because it no longer works.This works, but it's a pain, especially if I use many
tree-sitter-foo
packages that are all built individually. It also doesn't work if the build used something that no longer exists, e.g.macos-13
.Maybe we could print the hashes of all source files at the start of the build, and print the hash of the binary file at the end of the build? This would make verifying much easier.
Beta Was this translation helpful? Give feedback.
All reactions