Publicly verify open source code was deployed as is - deployment

Let’s say we have some open source project at GitHub with its source code. I want to deploy it to some server and let people access some informative page/tool/whatever that informs in some trustworthy way that effectively what it was deploy to the server was exactly the code that is in the repository.
Is there something that can help with this? Maybe an open source tool like Travis-CI that can help verify that a deploy was done using the latest code from X branch? Or perhaps there is a known way to do this using some kind of checksum for a deployable source code?
Any help/guidance would be much appreciated.

This is a build issue: you need to be able to include in your compiled delivery the checksum which shows from which sources said deliverable has been compiled.
It depends on your compilation language.
Go, for instance, would use build flags (as in this example):
go build -i -v -ldflags="-X main.version=$(git describe --always --long --dirty)" github.com/MyUserName/MyProject
Travis-CI would use the same ldflags, but with a fixed value.
This example simply add the Git commit as a flag.
script:
- go get -t -v ./...
- diff -u <(echo -n) <(gofmt -d .)
- go vet $(go list ./... | grep -v /vendor/)
- go test -v -race ./...
# Only build binaries from the latest Go release.
- if [ "${LATEST}" = "true" ]; then gox -os="linux darwin windows" \
-arch="amd64" -output="logshare.." \
-ldflags "-X main.Rev=`git rev-parse --short HEAD`" -verbose ./...; fi
Again, this is a build step, before the deployment step.
And it is illustrated for Go, but the idea remain for any other language.
At runtime, the program is able to display its version, and let the user know of the GitHub reference: they can check that reference is the one used for the build.
Alternative approach: signing a docker image
Then your Travis-CI could apply that on build stages for sharing that image.
But you will need to manage the Docker Content Trust (DCT) keys.

Related

Using Google's Repo Tool

Simple Question: How do I download android operating system source code version 8.0.0 using the repo tool on linux mint?
Detailed:
I want to download android source code. Edit some of the code, then install it onto a device. I installed a linux operating system, and downloaded/initialized repo. However, for the life of me I cannot understand how to use REPO.
I use the operating system tag: OPR4.170623.009. Which is android-8.0.0_r16 Oreo
That is the following command:
repo sync [OPR4.170623.009]
I get this result
... A new version of repo (2.12) is available.
... You should upgrade soon:
cp /home/k/.repo/repo/repo /home/k/bin/repo
error: project [OPR4.170623.009] not found
I even tried
repo sync [<OPR4.170623.009>]
I got
bash: OPR4.170623.009: No such file or directory
It is very weird, because the 'Downloading the Source' page doesn't really one on how to actually download the source. (https://source.android.com/setup/build/downloading#initializing-a-repo-client). It makes is seem like I should be using sync, and the 'source code tags'. However it doesn't say how to put those two together:
Here:
repo sync [project0 project1 ... projectn]
repo sync [/path/to/project0 ... /path/to/projectn]
It shows some example, but that doesn't look anything like their tags?
The version you want to download has to be specified for repo init, not for repo sync. Also, the version is specified using the tag, not the build ID (the second column in this list).
So the steps you have to take would be as follows:
Initialize the repo with the build tag you want (for example android-8.0.0_r16):
repo init -u https://android.googlesource.com/platform/manifest -b android-8.0.0_r16
Synchronize the repo:
repo sync --jobs=32 --current-branch --no-tags --quiet
The additional flags passed to repo sync are not required, but might be helpful: The flag --jobs=32 will attempt 32 downloads in parallel (adjust to your network bandwidth). The flag --current-branch will download only the branch you have specified during repo init. The flag --no-tags will disable downloading of tag data. With the flag --quiet only the overall download progress will be shown.
Some general note: You indicated that you want to flash the image to a device. Note that your device will likely require device specific drivers to be included in the image. These drivers are generally not part of AOSP. Also, your device may have a locked boot loader that does not allow flashing custom images. I cannot give more details since I don't know the device you are targeting.

Control tracked version of external dependency

I am trying to set up a DVC repository for machine learning data with different tagged versions of the dataset. I do this with something like:
$ cd /raid/ml_data # folder on a data drive
$ git init
$ dvc init
$ [add data]
$ [commit to dvc, git]
$ git tag -a 1.0.0
$ [add or change data]
$ [commit to dvc, git]
$ git tag -a 1.1.0
I have multiple projects that each need to reference some version of this dataset. The problem is I can't figure out how to set up those projects to reference a specific version. I'm able to track the HEAD of the repo with something like:
$ cd ~/my_proj # different drive than the remote
$ mkdir data
$ git init
$ dvc init
$ dvc remote add -d local /raid/ml_data # add the remote on my data drive
$ dvc cache dir /raid/ml_data/.dvc/cache # tell DVC to use the remote cache
$ dvc checkout
$ dvc run --external -d /raid/ml_data -o data/ cp -r /raid/ml_data data
This gets me the latest version of the dataset, symlinked into my data folder, but what if I want some projects to use the 1.0.0 version and some to use the 1.1.0 version, or another version? Or for that matter, if I update the dataset to 2.0.0 but don't want my existing projects to necessarily track HEAD and instead keep the version with which they were set up?
It's important to me to not create a ton of local copies of my dataset as the /home drive is much smaller than the /raid drive and some of these datasets are huge.
I think you are looking for the data access set of commands.
In your particular case, dvc import makes sense:
$ dvc import /raid/ml_data data
if you want to get the most recent version (HEAD). Then you will be able to update it with the dvc update command (if 2.0.0 is released, for example).
$ dvc import /raid/ml_data data --rev 1.0.0
if you'd like to "fix" it to the specific version.
Avoiding copies
Make sure also, that symlinks are set for the second project, as described in the Large Dataset Optimization:
$ dvc config cache.type reflink,hardlink,symlink,copy
(there are config modifiers --global, --local, --system to set this setting for everyone at once, or just for one project, etc)
Check the details instruction here.
Overall, it's a great setup, and looks like you got pretty much everything right. Please, don't hesitate to follow up and/or create other questions here- we'll help you with this.

Bitrise x Danger : bundle install, Could not locate Gemfile in "Do anything with Script step"

I'm new to CI, bitrise.
I've connected bitrise, project and Github and succeeded vanilla build.
Now I'm trying to show Auto PR comments on Github by using Danger connecting bitrise.
However, after pushing commits and making a pull request, the build was failed with this error on "Do anything with Script step" phase on bitrise.
What does "Could not locate Gemfile" mean in this case?
I have already added gemfile in local by these commands,
// create gemfile on the project directory
$ bundler init
// add danger in gemfile
gem "danger"
// install
$ bundle install
$ bundle exec danger init
And I've done
adding DANGER_GITHUB_API_TOKEN and github Access token in Env vars in bitrise
adding scripts in Do anything with Script step
This is my script.
#!/usr/bin/env bash
# fail if any commands fails
set -e
# debug log
set -x
# these 2 lines are what I added
bundle install
bundle exec danger
# write your script here
echo "Hello World!"
# or run a script from your repository, like:
# bash ./path/to/script.sh
# not just bash, e.g.:
# ruby ./path/to/script.rb
Is something missing to make Danger work in Github?
I have no idea what's going on here and I don't know even where I need to check.
If you have any ideas, please help me.
Feel free to ask me if you need more info to solve this.
Thanks.
This was happening to me because I was executing the Danger script before the Git Clone Repository step in my workflow.. It can't find the Gemfile because it's not in the correct directory; $BITRISE_SOURCE_DIR is not set prior to the Git Clone Repository step.

Gitzilla: Integration of github-project in Bugzilla

I am working on a Debian server, where I installed bugzilla. According to the suggestions in the gitzilla-installation guidelines, I would like to integrate Gitzilla to a project on github.com, using the github.com-project as my central repo. Therefore, I am not quite sure, where to do the following steps:
Switch to the hooks directory (/path/to/repository/.git/hooks) and delete the post-receive and update hooks.
Link (or copy) the gitzilla provided hooks:
ln -s $(which gitzilla-post-receive) post-receive
ln -s $(which gitzilla-update) update
Moreover, I tested to choose my github.com-URL to integrate in the /etc/gitzillarc, but without success. PyBugz is installed, and I defined the link to bugzilla, the user_name and PW of the bugzilla-admin.
Best,
H.M.
https://github.com/your_repository.git/.git/hooks will be the path where you should execute the steps.
In case you have a bare repository, then https://github.com/your_repository.git/hooks would be the path.

Best way for fingerprinting a Scala application

I'm developing a Web application in Scala that we deploy in several testing environments. In order to control which software snapshot is installed, I'd like to include a version fingerprint in the generated .war so I can query it using a REST interface.
I would go in the path of setting a SBT task that retrieves the mercurial repository version, the current project version from the project definition and compose a static string that will be read from that before mentioned service, but is this the right approach?
What are common patterns for getting this functionality?
Regards.
The idea is to generate a file with the right information, and then have an SBT task taking care of including that file information in the generated war.
For the file, you can see the right mercurial command in "How to display current working copy version of an hg repository on a PHP page", as a post-update hook:
[hooks]
post-update = hg id -r > VERSION ; hg id -i >> VERSION
That means you won't have ot can any mercurial command from SBT: the update of the mercurial repo will be enough to trigger the generation of that file.
The comments of that linked answer also mention the possible hg command:
hg log -r . --template "v{latesttag}-{latesttagdistance}-{node|short}\n