Replies: 2 comments 1 reply
-
Would this already be covered by bazelbuild/bazel-central-registry#2721? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Coming from Go modules, I'm finding that Bazel modules lack an important security feature: a checksum database, also known as a transparency log.
A checksum database would contain a cryptographic hash of every publicly downloadable artifact in the Bazel module ecosystem. The hashes are collected into an append-only cryptographic log and signed by a key trusted by Bazel. Bazel would use the checksum database to verify the integrity of a newly downloaded file before adding its hash to
MODULE.bazel.lock
.The checksum database essentially would act as a global
MODULE.bazel.lock
file. New modules are still trusted at time of first use, but the "first use" is when the module is first added to the registry, not the "first use" of every Bazel user. This makes it much more difficult for an attacker to manipulate the content of a module from the perspective of an individual user.To some extent, a checksum database is needed less urgently by Bazel than it was for Go because Bazel's central registry is centralized; in Go, a module author makes a module available to users simply by making their repository public. However, the need is still there: the BCR is based on Git, which doesn't provide the cryptographic guarantees needed for this type of log. If an attacker gained write access to the BCR repository, they could change the content of existing modules in a way that Bazel couldn't easily notice.
Some useful references from Go:
Beta Was this translation helpful? Give feedback.
All reactions