-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Standalone mode support for reproducible builds #34
Comments
Hi @ipuustin, thanks for your report. The Q1: how can we be sure which exact version of the library we are getting In current design, we maintain a versioning table to help users get to know which pair of Q2: Would it be possible to get a checksum or similar of the expected file? We opened a new issue (#2678) in Q3 how are things like HTTPs proxy config propagated to the download -- can this be documented? You mean the HTTPs config used in the download script or something else? Could you please explain this question a bit more? I failed to get your point, sorry about it. |
Hi @ipuustin |
Thanks for the prompt response!
I just mean that when you build within a "proxy prison", where all network traffic must go via a http/https proxy, there needs to be a way to configure the proxies for the standalone mode. Wget uses the environmental variables for proxy settings -- it just would be nice to have it documented. |
Really thanks for your explanation. It would be helpful when we are fixing it! |
The runwasi project (containerd/runwasi#187) is using
wasmedge-rust-sdk
standalone mode to get the correct version of the Wasmedge library automatically. However, there is some concern about reproducible builds -- how can we be sure which exact version of the library we are getting, for example in the case when there is a security issue in Wasmedge? Would it be possible to get a checksum or similar of the expected file? Also, how are things like HTTPs proxy config propagated to the download -- can this be documented? Thanks!(Btw, it seems to me from the code that
wasmedge-rust-sdk
doesn't validate the downloaded file checksum; this could be something that could be improved.)The text was updated successfully, but these errors were encountered: