List view
Create an API for install scripts to provide more metadata to `whelk` *without breaking installs that don't use `whelk`. Something like YAML piped to stdout. This metadata might include things like name and description, but would really shine with telling `whelk` about additional directories and files that the program will create after install that could be cleaned up. As always, take a position of not trusting the scripts, even with this metadata.
Overdue by 2 year(s)β’Due by June 30, 2023WIth coverage of installer scripts and arbitrary run scripts, introduce a watchdog mechanism to proactively monitor and alert on script changes, helping to mitigate supply chain attacks. This mechanism could be an email list people sign up for, or a twitter account, or whatever. Take inspiration from "have I been pwned?"
Overdue by 2 year(s)β’Due by March 31, 2023After locking down scripts in the [Season of the warden](https://github.com/jbowes/welk/milestone/5), introduce `welk run` to run scripts that don't install anything with restricted inputs and outputs.
Overdue by 2 year(s)β’Due by December 31, 2022Assume all scripts are malicious. Lock them down to a degree so extreme it seems foolish. Is there any way to apply this to installed binaries?
Overdue by 3 year(s)β’Due by September 30, 2022Add support for anyone creating their own script registry. Include private registries with auth. Private registries allow you to host "secret" scripts that others can discover and view info about, if they have a password. Or whatever auth material is required.
Overdue by 3 year(s)β’Due by June 30, 2022Broadcast known scripts Create a package/script registry driven by the same mechanisms used to report new scripts. Include checksum information in the registry. Allow anyone to publish information about installed scripts in their own location (eg a gist) with file names hashed for security. Allow other uses to source these for file integrity information.
Overdue by 3 year(s)β’Due by March 31, 2022Discover and catalog a wide array of install scripts. During the season, `welk` should be prompting for reports on every install. Create tooling to support / automate this. Increase `welk` coverage through supporting all the reported scripts.
Overdue by 3 year(s)β’Due by December 31, 2021β’0/6 issues closed