Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Standalone mode support for reproducible builds #34

Closed
ipuustin opened this issue Jul 24, 2023 · 4 comments · Fixed by #40
Closed

Standalone mode support for reproducible builds #34

ipuustin opened this issue Jul 24, 2023 · 4 comments · Fixed by #40

Comments

@ipuustin
Copy link

The runwasi project (containerd/runwasi#187) is using wasmedge-rust-sdk standalone mode to get the correct version of the Wasmedge library automatically. However, there is some concern about reproducible builds -- how can we be sure which exact version of the library we are getting, for example in the case when there is a security issue in Wasmedge? Would it be possible to get a checksum or similar of the expected file? Also, how are things like HTTPs proxy config propagated to the download -- can this be documented? Thanks!

(Btw, it seems to me from the code that wasmedge-rust-sdk doesn't validate the downloaded file checksum; this could be something that could be improved.)

@apepkuss
Copy link
Collaborator

Hi @ipuustin, thanks for your report. The standalone mode has not been the recommended deployment choice for installing the WasmEdge library, so we just put very limited energy on it before. Now we see the solid requirements for the mode, we'll catch up and improve it asap.

Q1: how can we be sure which exact version of the library we are getting

In current design, we maintain a versioning table to help users get to know which pair of WasmEdge Rust SDK and WasmEdge Runtime they can use.

Q2: Would it be possible to get a checksum or similar of the expected file?

We opened a new issue (#2678) in WasmEdge as a new requirement. Once it is satisfied, we'll support it in wasmedge-rust-sdk.

Q3 how are things like HTTPs proxy config propagated to the download -- can this be documented?

You mean the HTTPs config used in the download script or something else? Could you please explain this question a bit more? I failed to get your point, sorry about it.

@hydai
Copy link
Member

hydai commented Jul 25, 2023

Hi @ipuustin
Thanks for this suggestion. I already added the SHA256SUM files to the release assets page after the 0.11.2 version.

@ipuustin
Copy link
Author

Thanks for the prompt response!

You mean the HTTPs config used in the download script or something else? Could you please explain this question a bit more? I failed to get your point, sorry about it.

I just mean that when you build within a "proxy prison", where all network traffic must go via a http/https proxy, there needs to be a way to configure the proxies for the standalone mode. Wget uses the environmental variables for proxy settings -- it just would be nice to have it documented.

@apepkuss
Copy link
Collaborator

Really thanks for your explanation. It would be helpful when we are fixing it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants