Re: [BuildStream] Protect against plugin modifications of artifacts

[William Salmon <will salmon codethink co uk>]

On 24/06/2020 09:19, Tristan Van Berkom wrote:
> Hi Will,
[...]
> With all of that out of the way, I'd like to separately reply to this:
>
>    "A repeatable plugin should not have a issue with writing to the
>     sandbox. So long as what is written is completely determined by the
>     yaml in the project (element.bst + project.conf + dep.bst) and is
>     thus repeatable and deterministic."
>
> So, to reuse a term which I came up with in the above text,
> "dynamic controlled content" for lack of a better term, could perhaps
> simply be a resolved %{variable} (which could contain a lot of text and
> act like a template, with conditionally resolved variables substituted
> within).
>
> If this is such an interesting feature to have, I don't see much reason
> why we could not implement such a feature in BuildStream, even using
> Python plugins. This could be an Element API which takes a Sandbox, a
> "%{variable}" name and an absolute path, which could stage a resolved
> variable as the content of a file in the sandbox safely.
>
> It would be interesting to see a proposal for such a feature, probably
> I would argue that the permissions used to stage such a file be very
> limited, or unspecified (something matching the hard coded permissions
> used to stage files from Sources into the sandbox).

I don't strongly disagree with the jist of this. Things like `with 
conditionally resolved variables` seems like it might hint at the 
required flexibility.

> That said, a controlled feature like this would be an extremely far cry
> from allowing python code to simply write whatever they want into the
> sandbox, and would not allow for the non-deterministic things which are
> currently being done by existing plugins which exploit this currently
> existing weakness.

In fact I have said in this thread:
"""I am not saying that this API should not be improved or that there is 
no room to make it better"""

I would think that we can come up with something that would be enough 
for many of the EXISTING AND IN-USE plugins that have been created and 
used in good faith that need to put things in to the sandbox. As well as 
supporting the plugin's that should exist like a genimage plugin.

I look forward to getting the details sorted so we can be sure they are 
useful and reproducible.

I don't think its a good idea to remove the old API without adding the 
new API as this would brake and block many existing projects who are 
trying to track bst-master and are providing feed back and many bug 
reports and some MR's.