-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document "artifact rule" rationale #4
Comments
I missed all the discussion for the rationale why we prefer an implicit rule ALLOW * instead of a DENY * at the end of the artifact rules. Santiago mentioned that this is preferred because of the feedback received, which is mostly to improve usability. I don't have a strong preference for either one, but I wanted to make sure that Justin is also on board with this choice. |
I don't remember the content of the discussion here, but do vaguely recall
a discussion a long while back. We definitely need to document it in a way
that others can see and chime in.
…On Wed, Oct 11, 2017 at 5:11 PM, reza-curtmola ***@***.***> wrote:
I missed all the discussion for the rationale why we prefer an implicit
rule ALLOW * instead of a DENY * at the end of the artifact rules. Santiago
mentioned that this is preferred because of the feedback received, which is
mostly to improve usability.
I don't have a strong preference for either one, but I wanted to make sure
that Justin is also on board with this choice.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#4 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AA0XDySGHALDKIeWz_geM6fFgEe0WSLgks5srS72gaJpZM4Pymap>
.
|
I think the main argument was that having to explicitly authorize ( |
Until now every recorded artifact had to be consumed by a rule. That is, when verifying the batch of rules for a certain artifact type (material or product) reported for a step or inspection, the verification routine would keep a temporary queue of all artifacts of that type for that step or inspection and remove them from the queue each time an artifact was matched by a rule's artifact pattern. If any artifacts remained in the queue after verifying all rules (for that artifact type of that step or inspection) a RuleVerficationError was raised. This behavior amounted to an implicit `DISALLOW *` at the end of a given `expected_materials` or `expected_products` list. With this change the implicit `DISALLOW *` is removed, i.e. replaced with an implicit `ALLOW *`. However a layout designer can still add an explicit `DISALLOW *` at the end of a given rule list to fail if corresponding artifacts are not matched by any prior rule's pattern. The rationale for this change can be found in in-toto/specification#4.
I'd like to see some examples of this so we can better understand the implications. If there is an explicit ALLOW *, doesn't this mean new items can effectively always be silently added? |
Sorry I missed this comment. I'll upload some examples soon to the repository's wiki to help us document these design decisions. An explicit ALLOW * does indeed allow a step to register any products in their materials and products. Much like a firewall, I think having an explicit DISALLOW for good practice is a better decision than the opposite. |
Offhand, I'd rather have 1) an accidental annoyance from blocking something
that is caught later and rectified before the software is shipped than 2) a
situation where a compromised step can add any set of files they like,
compromising any meaningful security guarantees.
However, with some discussion, I may feel differently.
…On Fri, Oct 27, 2017 at 5:56 PM, Santiago Torres ***@***.***> wrote:
Sorry I missed this comment. I'll upload some examples soon to the
repository's wiki to help us document these design decisions.
An explicit ALLOW * does indeed allow a step to register any products in
their materials and products. Much like a firewall, I think having an
explicit DISALLOW for good practice is a better decision than the opposite.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AA0XD_AQcqsxaAiHJ3W8GnCv3Jaws3Ywks5swlGggaJpZM4Pymap>
.
|
Below is a mostly exhaustive list of related historic and ongoing in-toto issues and PRs. It's worth combing through these, when rehashing the artifact rule rational.
|
The recent discussion about whether and why we decided to replace the implicit
DISALLOW *
with an implicitALLOW *
when verifying expected materials and products makes it clear that we need to document these decisions more thoroughly.in-toto/in-toto#43 shows how the current design of
MATCH
rules (only) evolved.@SantiagoTorres suggests to create a Wiki that summarizes such on- and offline discussions and provides additional information about the rationale behind certain design decision that would go beyond the scope of the specification.
The text was updated successfully, but these errors were encountered: