Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify who did/can publish code for common packages #52

Open
Amxx opened this issue Jun 5, 2024 · 4 comments
Open

Clarify who did/can publish code for common packages #52

Amxx opened this issue Jun 5, 2024 · 4 comments

Comments

@Amxx
Copy link

Amxx commented Jun 5, 2024

https://soldeer.xyz/ mentions that it support, among other, @openzeppelin-contracts and @openzeppelin-contracts-upgradeable.

Has maintainers of this project, we are curious how our code is being retrieved when a user does:

soldeer install @openzeppelin-contracts-upgradeable~5.0.2
  • is the code retrieved from the release branch on our github repo?
  • is the code retrieved from the npm servers?
  • is someone repackaging our code and pushing it to soldeer?

That last option would be dangerous in our opinion. We want to ensure our users that they get code that was not tampered with, and that can be trusted.

Ideally they would only ahve to trust us. The current solution imply trusting either npmjs.com, or github, both of which are ok to most user (even though its not ideal). Trusting soldeer.xyz, or trusting a comunity maintainer that push code to soldeer.xyz, is very different IMO to trusting npm or github.

We'd like to understand the process more (and we think that should be very clearly documented on https://soldeer.xyz/project/@openzeppelin-contracts), so that we can inform our users accordingly.
@mario-eth
Copy link
Owner

Hey,

Currently, the dependencies are pulled from npm and pushed to soldeer central repository using npm, the crawler is run by me. using this code: https://github.com/mario-eth/soldeer-crawler
The goal is to transfer the project to the teams that maintain the projects and them to publish to soldeer the same way they are published to npm.
Furthermore, during install in the soldeer lock a sha is generated that can be verified against the same files on the dependency.

I totally agree that one should not trust the soldeer maintainers to publish the right sources but until the projects are willing to do that I have to push them.
Will update the readme and will add a warning to the every project to say that they are pulled and maintained by the soldeer maintainer

@mario-eth
Copy link
Owner

https://github.com/mario-eth/soldeer?tab=readme-ov-file#dependencies-maintenance added readme docs.
Will update the frontend to show for every project that is maintained by Soldeer a disclaimer to alert the users about this

@mario-eth
Copy link
Owner

Unknown 422 Now every project that is maintained by Soldeer shows this.

@Amxx
Copy link
Author

Amxx commented Jun 10, 2024

Thank you. The warning looks good to me !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Amxx @mario-eth