[ENT-12099] Initial implementation of an experimental feature of policy set analysis

[jakub-nt]

No description provided.

[cf-bottom]

Thanks for submitting a PR! Maybe @craigcomstock can review this?

[craigcomstock]

a few questions/comments, all looks good-to-go except maybe moving the release-information checksum into a separate file, that might be a nice change for maintenance purposes.

[craigcomstock]

Right. So when we release we need to update this.
We need to add instructions to this template ticket for releases: https://northerntech.atlassian.net/browse/ENT-12575

[craigcomstock]

I added a note already referring to line 83 above but we should update it after merging this PR to the "real" location/URL. Maybe it would be better to externalize this checksum in a single file for easier maintenance so folks could just "edit file" in github and make a PR without having to search through analyze.py?

[olehermanse]

@craigcomstock @jakub-nt no, we should not do it like this. As it's implemented here, cfbs analyze essentially stops working in all versions of cfbs when we release something new in release-information, and we have to release a new version of cfbs to fix it.

Keep in mind that HTTPS already has signatures and thus integrity checking, and so should be protected against corrupt downloads / MITM attacks. So what we are doing here is an additional check, to protect against for example a compromised user having access to edit the data in GitHub.

The correct way to do this is via some form of "releases". Either GH releases, with a download zip and a checksums.txt - assuming that they are a bit better protected, i.e. fewer people have access to edit releases. Or to avoid the single point of failure in GitHub, we could put the checksums.txt in another place, like our cfengine.com website, via the releases.json.