Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change to compile jemalloc from source #28

Merged
merged 2 commits into from
Jul 12, 2023
Merged

Conversation

gaffneyc
Copy link
Owner

As brought up in #27 there are possible supply chain attacks against
anyone using this buildpack. The main concern is that a compromised
binary could be uploaded and there is no way to check that the hosted
binaries are trusted. Going a level deeper there is no way to verify
that the compiled binaries I've uploaded can be trusted (I promise
they're fine!).

This goes a step farther and removes one more random dude on the
Internet (me!) from the chain of trust. By compiling from source and
posting known checksums of those sources it is possible to verify
exactly what is being built and to be notified if the source changes.
This has the added benefit of not needing to provide binaries for each
new release of Jemalloc or launch of a new Heroku stack. Builds are now
cached per version and stack so that changing either will cause a
rebuild on the first deploy.

@gaffneyc
Copy link
Owner Author

gaffneyc commented Oct 20, 2021

Was able to remove the cached check by including the stack in the cache path. This could lead to bloat in the cache but I don't know at what point that becomes an issue.

TODO

  • Test on Heroku
  • Document how to clear cached builds
  • Decide what to do if the checksum is not in the list (e.g. new version comes out but the buildpack hasn't been updated)

@rofreg
Copy link

rofreg commented Oct 20, 2021

🙌 This looks really fantastic! I'll close #27 in favor of this PR.

Two quick notes in case they're helpful:

  • Heroku's latest documentation on clearing the build cache is here, if you'd like to just link to it from your README.
  • If you're concerned about cache bloat, it might make sense to add a clean step in addition to download and compile, which could delete all contents of $CACHE_DIR/jemalloc other than $STACK/$version. I believe that would solve the cache bloat problem, by automatically clearing old cached binaries when the stack or version changes.

@gaffneyc
Copy link
Owner Author

Finally had a chance to deploy it to an app on Heroku today and looks like it's working great. A fresh build takes a minute or two but only happens once per stack and version.

If you're concerned about cache bloat, it might make sense to add a clean step in addition to download and compile, which could delete all contents of $CACHE_DIR/jemalloc other than $STACK/$version.

That's a good idea. My original thought was it would make it easier to implement #12 but only the current version is copied into the slug and the buildpack doesn't have access to the build cache at run time. It would make it faster to revert to an older version with a deploy though.

['5.2.0']='74be9f44a60d2a99398e706baa921e4efde82bf8fd16e5c0643c375c5851e3b4'
['5.2.1']='34330e5ce276099e2e8950d9335db5a875689a4c6a56751ef3b1d8c537f887f6'
)

# Default version
version="5.2.1"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to override this somehow? Via Heroku env vars?
Maybe it would be possible to supply a checksum there, too?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pirj
Copy link

pirj commented Jan 26, 2022

Decide what to do if the checksum is not in the list (e.g. new version comes out but the buildpack hasn't been updated)

Maybe use the latest jemalloc tag that the buildpack is aware of? There's a default version anyway:

version="5.2.1"

And warn during the build that a new version is available (but who looks at the logs anyway) to update the buildpack?

BTW, 5.3 may be released sometimes soon 🎉

@gaffneyc
Copy link
Owner Author

Decide what to do if the checksum is not in the list (e.g. new version comes out but the buildpack hasn't been updated)

I think we can fail the build if JEMALLOC_VERSION isn't in the checksum list and JEMALLOC_CHECKSUM isn't set. Since an operator is changing the configuration to specify a version of jemalloc to use I think failing the build wouldn't be that surprising since they've now created a configuration problem.

@gaffneyc gaffneyc mentioned this pull request May 6, 2022
gaffneyc added 2 commits May 6, 2022 21:40
As brought up in #27 there are possible supply chain attacks against
anyone using this buildpack. The main concern is that a compromised
binary could be uploaded and there is no way to check that the hosted
binaries are trusted. Going a level deeper there is no way to verify
that the compiled binaries I've uploaded can be trusted (I promise
they're fine!).

This goes a step farther and removes one more random dude on the
Internet (me!) from the chain of trust. By compiling from source and
posting known checksums of those sources it is possible to verify
exactly what is being built and to be notified if the source changes.
This has the added benefit of not needing to provide binaries for each
new release of Jemalloc or launch of a new Heroku stack. Builds are now
cached per version and stack so that changing either will cause a
rebuild on the first deploy.
@gaffneyc gaffneyc force-pushed the build-from-source branch from 799baa0 to ea4b6d6 Compare May 7, 2022 01:41
@gaffneyc
Copy link
Owner Author

Haven't had a chance to circle back on this but we've been using it for months in production. With the heroku-22 stack becoming generally available I'm planning to test a stack upgrade then come back and get this finished and merged. I've cut builds for heroku-22 in the mean time.

@gaffneyc gaffneyc merged commit c125b14 into master Jul 12, 2023
@gaffneyc gaffneyc deleted the build-from-source branch July 12, 2023 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants