379 lines
10 KiB
Plaintext
379 lines
10 KiB
Plaintext
// provenance_manifest.kdl
|
|
// Extended KDL manifest schema with full provenance chain embedding
|
|
// This shows how package manifests embed complete source attribution
|
|
|
|
package "htop" {
|
|
version "3.2.2"
|
|
stream "stable"
|
|
|
|
// Core package metadata
|
|
metadata {
|
|
description "Interactive process viewer"
|
|
homepage "https://htop.dev"
|
|
license "GPL-2.0"
|
|
architecture "x86_64"
|
|
build_date "2025-08-05T14:30:00Z"
|
|
}
|
|
|
|
// Package hashes for integrity
|
|
hashes {
|
|
package_hash "blake3-abc123def456789..."
|
|
manifest_hash "blake3-def456789abc123..."
|
|
content_hash "blake3-789abc123def456..."
|
|
}
|
|
|
|
// REVOLUTIONARY: Complete provenance chain embedded in manifest
|
|
provenance {
|
|
source_type "grafted" // original, grafted, converted, rebuilt, mirrored
|
|
trust_score 0.85 // Calculated trust score (0.0-1.0)
|
|
last_verified "2025-08-05T14:30:00Z"
|
|
|
|
// Original source information
|
|
original_source {
|
|
url "https://github.com/htop-dev/htop/archive/3.2.2.tar.gz"
|
|
ecosystem "github"
|
|
fetch_method "http"
|
|
}
|
|
|
|
// Complete provenance chain
|
|
chain {
|
|
// Step 1: Source fetching
|
|
step type="source" {
|
|
timestamp "2025-08-05T10:00:00Z"
|
|
actor "automated-graft-engine"
|
|
location "nexusos-infrastructure"
|
|
input_hash ""
|
|
output_hash "blake3-source123456..."
|
|
verified true
|
|
|
|
metadata {
|
|
source_url "https://github.com/htop-dev/htop/archive/3.2.2.tar.gz"
|
|
fetch_method "http"
|
|
user_agent "nimpak-fetcher/1.0"
|
|
content_type "application/gzip"
|
|
}
|
|
|
|
// Optional cryptographic signature
|
|
signature {
|
|
algorithm "ed25519"
|
|
key_id "nexusos-graft-engine-2025"
|
|
value "base64-encoded-signature-data"
|
|
timestamp "2025-08-05T10:00:00Z"
|
|
}
|
|
}
|
|
|
|
// Step 2: Package grafting from Arch Linux
|
|
step type="graft" {
|
|
timestamp "2025-08-05T10:15:00Z"
|
|
actor "automated-graft-engine"
|
|
location "graft-engine"
|
|
input_hash "blake3-source123456..."
|
|
output_hash "blake3-graft789abc..."
|
|
ve
|
|
|
|
metadata {
|
|
source_ecosystem "arch-linux"
|
|
original_package "htop-3.2.2-1-x86_64.pkg.tar.zst"
|
|
graft_method "archive-extraction"
|
|
verification_performed true
|
|
files_extracted 47
|
|
}
|
|
|
|
signature {
|
|
algorithm "ed25519"
|
|
key_id "nexusos-graft-engine-2025"
|
|
value "base64-encoded-graft-signature"
|
|
timestamp "2025-08-05T10:15:00Z"
|
|
}
|
|
}
|
|
|
|
// Step 3: Package conversion to .npk format
|
|
step type="convert" {
|
|
timestamp "2025-08-05T10:30:00Z"
|
|
actor "nimpak-converter"
|
|
location "nexusos-infrastructure"
|
|
input_hash "blake3-graft789abc..."
|
|
output_hash "blake3-convert123def..."
|
|
verified true
|
|
|
|
metadata {
|
|
converter_version "nimpak-1.0.0"
|
|
conversion_method "gobolinux-restructure"
|
|
manifest_generated true
|
|
integrity_verified true
|
|
}
|
|
|
|
signature {
|
|
algorithm "ed25519"
|
|
key_id "nexusos-converter-2025"
|
|
value "base64-encoded-convert-signature"
|
|
timestamp "2025-08-05T10:30:00Z"
|
|
}
|
|
}
|
|
|
|
// Step 4: Final package signing
|
|
step type="sign" {
|
|
timestamp "2025-08-05T10:45:00Z"
|
|
actor "nexusos-signing-authority"
|
|
location "signing-infrastructure"
|
|
input_hash "blake3-convert123def..."
|
|
output_hash "blake3-convert123def..." // Signing doesn't change content
|
|
verified true
|
|
|
|
metadata {
|
|
signing_authority "NexusOS Package Authority"
|
|
key_algorithm "ed25519"
|
|
signature_type "detached"
|
|
policy_version "2025.1"
|
|
}
|
|
|
|
signature {
|
|
algorithm "ed25519"
|
|
key_id "nexusos-repo-2025"
|
|
value "base64-encoded-final-signature"
|
|
timestamp "2025-08-05T10:45:00Z"
|
|
}
|
|
}
|
|
}
|
|
|
|
// Trust calculation breakdown
|
|
trust_calculation {
|
|
base_score 0.5
|
|
source_type_modifier 0.05 // Grafted penalty
|
|
actor_trust_bonus 0.2 // Trusted actors
|
|
location_trust_bonus 0.1 // Trusted locations
|
|
signature_bonus 0.2 // All steps signed
|
|
verification_bonus 0.1 // All steps verified
|
|
age_penalty 0.0 // Recent provenance
|
|
final_score 0.85
|
|
}
|
|
|
|
// Verification status
|
|
verification {
|
|
last_verified "2025-08-05T14:30:00Z"
|
|
verification_successful true
|
|
errors []
|
|
|
|
step_verification {
|
|
source_step true
|
|
graft_step true
|
|
convert_step true
|
|
sign_step true
|
|
}
|
|
|
|
hash_chain_valid true
|
|
signatures_valid true
|
|
keys_trusted true
|
|
}
|
|
}
|
|
|
|
// Dependencies with their own provenance
|
|
dependencies {
|
|
libc {
|
|
version "2.38"
|
|
trust_score 0.95 // Higher trust for core libraries
|
|
provenance_summary {
|
|
source_type "original"
|
|
chain_length 3
|
|
all_signed true
|
|
last_verified "2025-08-04T12:00:00Z"
|
|
}
|
|
}
|
|
|
|
ncurses {
|
|
version "6.4"
|
|
trust_score 0.88
|
|
provenance_summary {
|
|
source_type "grafted"
|
|
chain_length 4
|
|
all_signed true
|
|
last_verified "2025-08-04T15:30:00Z"
|
|
}
|
|
}
|
|
}
|
|
|
|
// ACUL compliance with provenance integration
|
|
acul {
|
|
required false
|
|
membership "NexusOS-Community"
|
|
license "GPL-2.0"
|
|
|
|
// Provenance-based compliance
|
|
provenance_compliant true
|
|
trust_threshold_met true
|
|
source_attribution_complete true
|
|
build_reproducible true
|
|
}
|
|
|
|
// Installation metadata
|
|
installation {
|
|
installed_at "2025-08-05T15:00:00Z"
|
|
installed_by "user-markus"
|
|
installation_method "nip-install"
|
|
cell "default"
|
|
|
|
// Post-installation verification
|
|
post_install_verification {
|
|
integrity_verified true
|
|
provenance_verified true
|
|
trust_score_acceptable true
|
|
policy_compliant true
|
|
}
|
|
}
|
|
}
|
|
|
|
// Example of a high-trust original source package
|
|
package "nim-compiler" {
|
|
version "2.0.0"
|
|
stream "stable"
|
|
|
|
provenance {
|
|
source_type "original"
|
|
trust_score 0.98 // Very high trust for original source
|
|
|
|
original_source {
|
|
url "https://github.com/nim-lang/Nim/archive/v2.0.0.tar.gz"
|
|
ecosystem "github-official"
|
|
verified_publisher true
|
|
}
|
|
|
|
chain {
|
|
step type="source" {
|
|
timestamp "2025-08-01T09:00:00Z"
|
|
actor "nexusos-build-farm"
|
|
location "reproducible-builds"
|
|
input_hash ""
|
|
output_hash "blake3-nim-source..."
|
|
verified true
|
|
|
|
signature {
|
|
algorithm "ed25519"
|
|
key_id "nim-lang-official-2025"
|
|
value "official-nim-signature"
|
|
timestamp "2025-08-01T09:00:00Z"
|
|
}
|
|
}
|
|
|
|
step type="build" {
|
|
timestamp "2025-08-01T09:30:00Z"
|
|
actor "nexusos-build-farm"
|
|
location "reproducible-builds"
|
|
input_hash "blake3-nim-source..."
|
|
output_hash "blake3-nim-build..."
|
|
verified true
|
|
|
|
metadata {
|
|
build_system "nim-bootstrap"
|
|
build_flags ["--opt:speed", "--gc:orc"]
|
|
compiler_version "nim-1.6.14"
|
|
build_environment "reproducible"
|
|
build_reproducible true
|
|
}
|
|
|
|
signature {
|
|
algorithm "ed25519"
|
|
key_id "nexusos-build-farm-2025"
|
|
value "build-signature-data"
|
|
timestamp "2025-08-01T09:30:00Z"
|
|
}
|
|
}
|
|
|
|
step type="sign" {
|
|
timestamp "2025-08-01T10:00:00Z"
|
|
actor "nexusos-signing-authority"
|
|
location "signing-infrastructure"
|
|
input_hash "blake3-nim-build..."
|
|
output_hash "blake3-nim-build..."
|
|
verified true
|
|
|
|
signature {
|
|
algorithm "ed25519"
|
|
key_id "nexusos-repo-2025"
|
|
value "final-package-signature"
|
|
timestamp "2025-08-01T10:00:00Z"
|
|
}
|
|
}
|
|
}
|
|
|
|
trust_calculation {
|
|
base_score 0.5
|
|
source_type_modifier 0.1 // Original source bonus
|
|
actor_trust_bonus 0.2 // Highly trusted actors
|
|
location_trust_bonus 0.1 // Trusted build infrastructure
|
|
signature_bonus 0.2 // All steps cryptographically signed
|
|
verification_bonus 0.1 // Perfect verification record
|
|
completeness_bonus 0.1 // Complete provenance chain
|
|
official_publisher_bonus 0.05 // Official Nim project
|
|
final_score 0.98
|
|
}
|
|
}
|
|
}
|
|
|
|
// Example of a low-trust package with issues
|
|
package "suspicious-tool" {
|
|
version "1.0.0"
|
|
stream "testing"
|
|
|
|
provenance {
|
|
source_type "mirrored"
|
|
trust_score 0.35 // Low trust due to issues
|
|
|
|
chain {
|
|
step type="source" {
|
|
timestamp "2025-07-01T12:00:00Z"
|
|
actor "unknown-mirror"
|
|
location "untrusted-location"
|
|
input_hash ""
|
|
output_hash "blake3-suspicious..."
|
|
verified false // Verification failed
|
|
|
|
metadata {
|
|
source_url "http://sketchy-mirror.com/tool.tar.gz"
|
|
fetch_method "http"
|
|
ssl_verified false
|
|
}
|
|
|
|
// No signature - red flag
|
|
}
|
|
|
|
step type="build" {
|
|
timestamp "2025-07-01T13:00:00Z"
|
|
actor "unknown-builder"
|
|
location "unknown-location"
|
|
input_hash "blake3-suspicious..."
|
|
output_hash "blake3-build-suspicious..."
|
|
verified false
|
|
|
|
metadata {
|
|
build_system "unknown"
|
|
build_flags []
|
|
build_reproducible false
|
|
}
|
|
|
|
// No signature - another red flag
|
|
}
|
|
}
|
|
|
|
trust_calculation {
|
|
base_score 0.5
|
|
source_type_modifier -0.1 // Mirrored penalty
|
|
actor_trust_penalty -0.2 // Unknown actors
|
|
location_trust_penalty -0.1 // Untrusted locations
|
|
signature_penalty -0.2 // No signatures
|
|
verification_penalty -0.2 // Failed verification
|
|
ssl_penalty -0.05 // No SSL verification
|
|
final_score 0.35
|
|
}
|
|
|
|
verification {
|
|
last_verified "2025-08-05T14:30:00Z"
|
|
verification_successful false
|
|
errors [
|
|
"No cryptographic signatures found",
|
|
"Unknown build actors",
|
|
"Source fetched over insecure HTTP",
|
|
"Build not reproducible"
|
|
]
|
|
}
|
|
}
|
|
} |