GPN20:Build Anything with Warpforge -- Reproducibly, Decentralized, With Friends

aus dem Wiki des Entropia e.V., CCC Karlsruhe
Zur Navigation springenZur Suche springen


Ein Vortrag von Eric Myhre auf der GPN20.

Warpforge's approach to becoming a powerful "Build Anything" tool is to orient itself around providing the user with "computation-addressable" systems -- meaning: the same idea as content-addressable systems, but now extended to also apply to data processing and software compilation. The use of cryptographic hashes to identify data has valuable properties for both security and for simplifying organization; in Warpforge, we apply that same idea to hashing the descriptions of environments and the computations we want to run within them, for similar victories in both security and simplification. What Git did for source code version control, Warpforge wants to do for build instructions and data processing: decentralized, snapshottable, portable, and utterly agnostic to whatever you put in it.

Warpforge is granular: although it uses containers for hermeticity, Warpforge lets you compose the filesystem from as many pieces as you want. Warpforge features a freeform filesystem assembly syntax, which lets you state any content you want shall appear at any path you want. This stands in stark contrast to most other container systems which limit you to monolithic "images" -- which invariably devolve into balls-of-mud, becoming difficult to maintain, difficult to introspect, and almost impossible to compose.

Warpforge is a hackable tool. Everything works via a JSON API. There are both "high" and "low" level variants of this API: the "high" level lets you describe pipelines of computations, wired together with human-readable names of your choosing; the "low" level API always uses only content-addressable hashes for all data input, and always hashes things immediate upon output. The interaction of these two APIs is the secret sauce: it makes a system that's both usable and also highly precise and highly auditable and reproducible.

Warpforge aims to be a developer productivity tool, but at the same time, shift the culture: much like Git taught the world about hash trees, Warpforge wants to teach the world about reproducible builds. Because every output is hashed, computation that fails to reproduce the same output becomes noticed immediately.

Warpforge is a perfect tool for those interested in SBOMs (Software Bill Of Materials). Because Warpforge identifies all inputs explicitly, it can very naturally produce an SBOM. In fact, it does so in standard operation -- and unlike many other sytems, Warpforge doesn't just produce a descriptive, after-the-fact SBOM: Warpforge instructions are actually a load-bearing bill-of-materials by nature.

Warpforge stops slightly short of doing package management. However, Warpforge does offer some suggestions on ways to build package management systems... with more merkle trees, so that things remain reproducible, introspectable, and auditable even as they grow in systemic complexity. (That's enough spoilers; come the talk to see how!)

You can find out more about Warpforge at http://warpforge.io/ and https://github.com/warpfork/warpforge/ .

Links