Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update netlayer references to bisq repos #4694

Merged
merged 1 commit into from
Oct 27, 2020

Conversation

cd2357
Copy link
Contributor

@cd2357 cd2357 commented Oct 24, 2020

Update build.gradle to rely on the netlayer libraries from the bisq-network repo. The library versions (commit IDs) remain the same, only the repo from which they are pulled is changed.

Update build.gradle to rely on the netlayer libraries from the bisq-network repo. The library versions (commit IDs) remain the same, only the repo from which they are pulled is changed.
Copy link
Contributor

@chimp1984 chimp1984 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK

@chimp1984
Copy link
Contributor

@cd2357 Do we have a way now to archive past sigs/hashes or even binaries for being able to verify historical releases?

@chimp1984
Copy link
Contributor

@cd2357 Also: Can you figure out if its feasible to do tor binary verification in the build scripts?

@cd2357
Copy link
Contributor Author

cd2357 commented Oct 25, 2020

Do we have a way now to archive past sigs/hashes or even binaries for being able to verify historical releases?

Yes, the tor-binary project can keep previous hashes used for previous tor versions, like here for v10: https://github.com/bisq-network/tor-binary/tree/upgrade-tor-10.0/tor-binary-resources/checksums . When the binaries are built for the next version, new hash files are added named accordingly, while still preserving the previous hash files.

Also: Can you figure out if its feasible to do tor binary verification in the build scripts?

I tried, but found no direct way to do that, because there are no published hashes for the tor binaries.

The current approach does that indirectly:

  • Bisq uses a certain version of netlayer
  • ... which uses a certain version of tor-binary
  • ... which contains, in the path listed above, the expected hashes of the tor browser binaries

The tor-binary build process will fail if the checked-in hashes don't match the actual hashes of the downloaded tor browser binaries.

Still, once built, the resulting libraries are downloaded from jitpack, when building Bisq, so this involves some trust in them.

One idea to eliminate the need for that trust: when upgrading tor-binary and netlayer next, the one who does it should build them locally + hash the resulting maven artefacts. Then, when the netlayer version is bumped in the Bisq build.gradle and ./gradlew -q calculateChecksums is run to update gradle-witness.gradle, he can check if those checksums (hashes of the jitpack tor libraries) are the same as the checksums he generated locally earlier (from his local maven repo, after locally building netlayer and the tor-binary dependency).

Its a manual step in the "upgrade tor version" process, but it has to be done only once. If all looks good, the "upgrade tor version" commit in Bisq will include a verified set of hashes in gradle-witness.gradle, so all subsequent builds from anyone else will automatically check and expect the jitpack binaries to have those checksums.

@sqrrm sqrrm merged commit 6cb0130 into bisq-network:master Oct 27, 2020
@ripcurlx ripcurlx added this to the v1.5.0 milestone Nov 3, 2020
@cd2357 cd2357 deleted the update-tor-repos branch May 9, 2021 12:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants