Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to bootstrap and verify sbt plugins? #91

Open
graingert opened this issue May 12, 2016 · 8 comments
Open

How to bootstrap and verify sbt plugins? #91

graingert opened this issue May 12, 2016 · 8 comments

Comments

@graingert
Copy link

There should be a tutorial on how to download and verify sbt-pgp and another other build plugins before sbt runs (and a malicious plugin stops sbt-pgp from working)

@jsuereth
Copy link
Member

Good question. I think it may be (barely) possible for us to do that. We would actually need to include ourselves VERY EARLY in the sbt load process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n

@eed3si9n
Copy link
Member

eed3si9n commented May 12, 2016

Imagine all the people living life in peace (using sbt-pgp as part of mothership instead of a plugin).

@graingert
Copy link
Author

I imagine this being a tar.gz that directly patches sbt or is integrated
directly.
On 12 May 2016 8:19 pm, "Josh Suereth" [email protected] wrote:

Good question. I think it may be (barely) possible for us to do that.
We would actually need to include ourselves VERY EARLY in the sbt load
process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n https://github.com/eed3si9n


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

@graingert
Copy link
Author

What's sbt mothership?
On 12 May 2016 8:42 pm, "Thomas Grainger" [email protected] wrote:

I imagine this being a tar.gz that directly patches sbt or is integrated
directly.
On 12 May 2016 8:19 pm, "Josh Suereth" [email protected] wrote:

Good question. I think it may be (barely) possible for us to do that.
We would actually need to include ourselves VERY EARLY in the sbt load
process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n https://github.com/eed3si9n


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

@eed3si9n
Copy link
Member

It's a term I use sometimes to refer to sbt, as opposed to the plugins.
I've been an advocate for that for a while. See https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ for example.

@graingert
Copy link
Author

The signature verification parts of sbt-pgp only make sense if they can
verify plugins before they are loaded and as such cannot work without being
patched into sbt or included in 'mothership'
On 12 May 2016 8:55 pm, "eugene yokota" [email protected] wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins.
I've been an advocate for that for a while. See
https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ
for example.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

@graingert
Copy link
Author

You could create a new addSbtPlugin function eg addSbtPlugin(plugin:
Plugin, pgp: PgpFingerPrint)

That does the validation.

But you would still need to patch sbt before the plugins.sbt loaded.

Thomas Grainger

On 12 May 2016 at 21:05, Thomas Grainger [email protected] wrote:

The signature verification parts of sbt-pgp only make sense if they can
verify plugins before they are loaded and as such cannot work without being
patched into sbt or included in 'mothership'
On 12 May 2016 8:55 pm, "eugene yokota" [email protected] wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins.
I've been an advocate for that for a while. See
https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ
for example.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

@graingert
Copy link
Author

I guess you could import sbt-pgp after manually adding it to your classpath.

Thomas Grainger

On 12 May 2016 at 22:08, Thomas Grainger [email protected] wrote:

You could create a new addSbtPlugin function eg addSbtPlugin(plugin:
Plugin, pgp: PgpFingerPrint)

That does the validation.

But you would still need to patch sbt before the plugins.sbt loaded.

Thomas Grainger

On 12 May 2016 at 21:05, Thomas Grainger [email protected] wrote:

The signature verification parts of sbt-pgp only make sense if they can
verify plugins before they are loaded and as such cannot work without being
patched into sbt or included in 'mothership'
On 12 May 2016 8:55 pm, "eugene yokota" [email protected] wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins.
I've been an advocate for that for a while. See
https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ
for example.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants