Verify the checksums of your dependency artifacts. Works with deps.edn.
This ensures that everyone is running the same code. This is both a correctness and a safety measure.
Problems to be solved, features to be implemented:
- The bootstrapping problem: we must not accidentally load the dependencies
from
deps.ednbefore running this code. Possible solutions include creating a uberjar or a GraalVM native image. - Can this code be hooked into tools.deps to automatically verify the dependencies?
- For Gradle, there's gradle-witness.
- Go uses the
go.sumfiles. They're verified against a checksum database, similar to Certificate Transparency. - Maven has some kind ofchecksum support, but it only stores the checksums in the registry.
- npm's
package-lock.jsonfiles include theintegrityfield. I'm not sure if npm actually verifies it.
My previous sketch along the same lines focused on the GPG signatures of the packages. However, I'm increasingly thinking that the signature approach, as implemented with Maven repositories, is a dead end.