Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to bootstrap and verify sbt plugins? #91

Open
graingert opened this issue May 12, 2016 · 8 comments
Open

How to bootstrap and verify sbt plugins? #91

graingert opened this issue May 12, 2016 · 8 comments
Labels
Feature Request

Comments

@graingert
Copy link
Contributor

There should be a tutorial on how to download and verify sbt-pgp and another other build plugins before sbt runs (and a malicious plugin stops sbt-pgp from working)
@jsuereth
Copy link
Member

Good question. I think it may be (barely) possible for us to do that. We would actually need to include ourselves VERY EARLY in the sbt load process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n

@eed3si9n
Copy link
Member

eed3si9n commented May 12, 2016
edited
Loading

Imagine all the people living life in peace (using sbt-pgp as part of mothership instead of a plugin).

@graingert
Copy link
Contributor Author

I imagine this being a tar.gz that directly patches sbt or is integrated
directly.
On 12 May 2016 8:19 pm, "Josh Suereth" notifications@github.com wrote:

Good question. I think it may be (barely) possible for us to do that.
We would actually need to include ourselves VERY EARLY in the sbt load
process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n https://github.com/eed3si9n


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

@graingert
Copy link
Contributor Author

What's sbt mothership?
On 12 May 2016 8:42 pm, "Thomas Grainger" tagrain@gmail.com wrote:

I imagine this being a tar.gz that directly patches sbt or is integrated
directly.
On 12 May 2016 8:19 pm, "Josh Suereth" notifications@github.com wrote:

Good question. I think it may be (barely) possible for us to do that.
We would actually need to include ourselves VERY EARLY in the sbt load
process, and even then we wouldn't be guaranteed to catch everything....

Cc. @eed3si9n https://github.com/eed3si9n


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

@eed3si9n
Copy link
Member

It's a term I use sometimes to refer to sbt, as opposed to the plugins.
I've been an advocate for that for a while. See https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ for example.

@graingert
Copy link
Contributor Author

The signature verification parts of sbt-pgp only make sense if they can
verify plugins before they are loaded and as such cannot work without being
patched into sbt or included in 'mothership'
On 12 May 2016 8:55 pm, "eugene yokota" notifications@github.com wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins.
I've been an advocate for that for a while. See
https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ
for example.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

@graingert
Copy link
Contributor Author

You could create a new addSbtPlugin function eg addSbtPlugin(plugin:
Plugin, pgp: PgpFingerPrint)

That does the validation.

But you would still need to patch sbt before the plugins.sbt loaded.

Thomas Grainger

On 12 May 2016 at 21:05, Thomas Grainger tagrain@gmail.com wrote:

The signature verification parts of sbt-pgp only make sense if they can
verify plugins before they are loaded and as such cannot work without being
patched into sbt or included in 'mothership'
On 12 May 2016 8:55 pm, "eugene yokota" notifications@github.com wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins.
I've been an advocate for that for a while. See
https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ
for example.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

@graingert
Copy link
Contributor Author

I guess you could import sbt-pgp after manually adding it to your classpath.

Thomas Grainger

On 12 May 2016 at 22:08, Thomas Grainger tagrain@gmail.com wrote:

You could create a new addSbtPlugin function eg addSbtPlugin(plugin:
Plugin, pgp: PgpFingerPrint)

That does the validation.

But you would still need to patch sbt before the plugins.sbt loaded.

Thomas Grainger

On 12 May 2016 at 21:05, Thomas Grainger tagrain@gmail.com wrote:

The signature verification parts of sbt-pgp only make sense if they can
verify plugins before they are loaded and as such cannot work without being
patched into sbt or included in 'mothership'
On 12 May 2016 8:55 pm, "eugene yokota" notifications@github.com wrote:

It's a term I use sometimes to refer to sbt, as opposed to the plugins.
I've been an advocate for that for a while. See
https://groups.google.com/d/msg/simple-build-tool/1Zq1Xa5_Ge4/Fikn3qJDVDQJ
for example.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#91 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsuereth @eed3si9n @graingert