Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Download the desired aqua version directly instead of the bootstrap version #716

Closed
dudicoco opened this issue Nov 28, 2024 · 10 comments
Closed

Download the desired aqua version directly instead of the bootstrap version #716

dudicoco opened this issue Nov 28, 2024 · 10 comments

Comments

@dudicoco
Copy link

The install script currently downloads a bootstrap version of aqua, if a version of aqua is passed to the installer script it then runs aqua update which will download aqua again in the desired version.

I'm not sure what is the reasoning behind this, but I believe we could download the version that is passed to installer directly.
@suzuki-shunsuke
Copy link
Member

That's a good question.
Bootstrap is required to achieve secure install easily with minimum dependency.

  • Secure Install: verify checksums and signature
  • Minimum dependency: aqua-installer requires only curl or wget
  • Easy implementation: aqua-installer lets complicated process to aqua update-aqua

We think Supply Chain Security is so important.

To verify checksums, you need to get expected checksums somehow.
aqua-installer supports any versions, so it needs to be able to get checksums of any versions.
Downloaded checksum files must be verified somehow.
aqua uses tools such as Cosign for verification, so they must be installed securely before installing aqua.
To install Cosign securely, Cosign must be verified. This is a bootstrap issue.

To solve this issue, we hardcode a specific aqua version and checksums in aqua-installer.
We can trust hardcoded checksums.
aqua-installer downloads the specific version and verifies checksums without Cosign.
Then aqua-installer executes aqua update-aqua command to install Cosign and aqua securely.
We hardcode Cosign version and checksums in aqua to install Cosign securely.
aqua update-aqua command installs Cosign securely, and installs aqua securely.

That's why the bootstrap is required.

Without bootstrap, you need to install one of the following tools before executing aqua-installer, which making aqua-installer hard to use.

And we need to take care of compatibility. For example, users may use old GitHub CLI not supporting gh attestation command.

We hardcode versions and checksums of tools which aqua uses internally not to depend on user environment.

aqua-installer lets complicated process to aqua update-aqua, making aqua-installer simple.

Bootstrap causes some overhead, but we accept it.

@suzuki-shunsuke
Copy link
Member

I'll add the document.

@suzuki-shunsuke suzuki-shunsuke mentioned this issue Nov 29, 2024
Merged
@dudicoco
Copy link
Author

@suzuki-shunsuke how about adding the last n versions of aqua's checksums to the installer script?
So we have for example 10 possible bootstrap versions instead of one.
Since the installer itself is versioned, we will have a high probability of downloading one of the bootstrap versions and not having to redownload afterwards.

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Nov 29, 2024
edited
Loading

In that case, we need to release a new version of aqua-installer every time we release a new version of aqua.
And when users update aqua to the latest version, 10 bootstrap version have no meaning unless users update aqua-installer to the latest version.
I don't think this is a good idea.

Current situation is not so bad, so I don't think we need to improve it so much.

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Nov 29, 2024
edited
Loading

We don't want to update aqua-installer only for updating checksums frequently because if users use aqua-installer as shell script they need to fix the checksum of aqua-installer when they update aqua-installer, which is bothersome.

@dudicoco
Copy link
Author

dudicoco commented Nov 29, 2024
edited
Loading

@suzuki-shunsuke there's a tradeoff here - if it's more important for the user to validate the checksum of the aqua-installer they can choose not to update it to the latest version frequently and possibly download aqua twice.
If it's more important for the user to not download aqua twice then the trade off of not validating the checksum is acceptable.
My focus here is mainly on CI where you don't want to download aqua twice on every run.

@suzuki-shunsuke
Copy link
Member

As I mentioned, we think Supply Chain Security is so important.
So there is no option not to verify checksum.

@suzuki-shunsuke
Copy link
Member

Basically, downloading aqua takes only a few seconds on ubuntu-latest.
I don't think this is a problem.

@dudicoco
Copy link
Author

As I mentioned, we think Supply Chain Security is so important. So there is no option not to verify checksum.

I am talking about the installer script checksum, not the aqua binary checksum.

@suzuki-shunsuke
Copy link
Member

Same. We should verify checksum of the installer script in terms of Supply Chain Security.

@github-project-automation github-project-automation bot moved this to Done in main Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@suzuki-shunsuke @dudicoco