save changes
This commit is contained in:
master
@@ -0,0 +1,59 @@
|
||||
# 16-Feb-2026 - Hybrid Diff Stack for Source and Binary Patching
|
||||
|
||||
## Source
|
||||
- Origin: user-submitted advisory in chat (2026-02-16).
|
||||
- Theme: versioning and patching across source + binaries using a hybrid
|
||||
source-symbol-binary diff pipeline.
|
||||
|
||||
## Advisory summary
|
||||
|
||||
Proposed architecture:
|
||||
|
||||
1. Source-level AST semantic edit scripts with symbol anchors.
|
||||
2. Build-time mapping from source edits to symbol ranges using DWARF/PDB and
|
||||
build-id metadata.
|
||||
3. Binary normalization followed by compact per-symbol delta generation.
|
||||
4. Signed packaging (DSSE + transparency logging) and policy gates based on
|
||||
function-level change scope.
|
||||
|
||||
Proposed deliverables:
|
||||
|
||||
- Builder outputs: `symbol_map.json`, `build_id`, normalized streams.
|
||||
- Differ outputs: `symbol_patch_plan.json`, per-symbol delta payloads,
|
||||
`patch_manifest.json`.
|
||||
- Verifier checks for build-id match, boundary-safe dry-run apply, and
|
||||
source-anchor reconciliation.
|
||||
- Evidence Locker schema extension for hybrid diff artifacts.
|
||||
|
||||
## Review result
|
||||
|
||||
Outcome: **Accepted as partially implemented and requiring additional delivery**.
|
||||
|
||||
Already implemented in repository:
|
||||
|
||||
- Normalized ELF segment hashing and normalization passes in BinaryIndex.
|
||||
- DeltaSig attestation model + CLI flow for signature extraction/sign/verify.
|
||||
- Symbol manifest model carrying debug and source metadata.
|
||||
|
||||
Gaps identified:
|
||||
|
||||
- No first-class AST semantic edit script artifact pipeline.
|
||||
- No canonical source-to-symbol map artifact contract emitted at build stage.
|
||||
- No unified symbol patch plan manifest linking AST anchors to normalized
|
||||
per-symbol delta artifacts.
|
||||
- Function boundary/address accuracy still incomplete in parts of DeltaSig
|
||||
function delta generation.
|
||||
|
||||
## Translated artifacts
|
||||
|
||||
- High-level doc: `docs/hybrid-diff-patching.md`
|
||||
- Module dossier: `docs/modules/binary-index/hybrid-diff-stack.md`
|
||||
- Sprint plan: `docs/implplan/SPRINT_20260216_001_BinaryIndex_hybrid_diff_patch_pipeline.md`
|
||||
|
||||
## De-duplication note
|
||||
|
||||
This advisory extends earlier binary diff and symbol mapping advisory work, not
|
||||
replace it:
|
||||
|
||||
- `docs-archived/product/advisories/30-Dec-2025 - Binary Diff Signatures for Patch Detection.md`
|
||||
- `docs-archived/product/advisories/18-Dec-2025 - Building Better Binary Mapping and Call-Stack Reachability.md`
|
||||
@@ -0,0 +1,24 @@
|
||||
# 16-Feb-2026 - eBPF micro-witness deterministic replay across distros
|
||||
|
||||
## Advisory source
|
||||
- Source: user-provided product advisory text (review session, 2026-02-16 UTC).
|
||||
- Scope: CO-RE eBPF micro-witnesses replayable and deterministic across kernels, distros, and toolchains, with DSSE + Sigstore bundle portability.
|
||||
|
||||
## Outcome
|
||||
- Result: partially aligned implementation with confirmed contract and implementation gaps.
|
||||
- Decision: advisory translated into product/module docs plus an active implementation sprint.
|
||||
|
||||
## Confirmed gap themes
|
||||
- Runtime collector support check is hard-gated on `/sys/kernel/btf/vmlinux`; split-BTF/external-vmlinux fallback behavior is not implemented as a deterministic recorded contract.
|
||||
- Runtime witness payload lacks required deterministic symbolization tuple for cross-distro replay (`symbolizer`, `libc_variant`, `sysroot`, debug/symbol pointers).
|
||||
- Runtime witness generation pipeline is interface-defined but not implemented end-to-end in Scanner.
|
||||
- DSSE witness support exists, but per-witness Sigstore bundle contract (`trace.sigstore.json`) is not standardized in witness storage/export/indexing.
|
||||
|
||||
## Translation artifacts
|
||||
- Active sprint: `docs/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md`
|
||||
- Product update: `docs/product/ebpf-micro-witness-determinism.md`
|
||||
- Module contract: `docs/modules/signals/contracts/ebpf-micro-witness-determinism-profile.md`
|
||||
|
||||
## Notes
|
||||
- External web fetches: none.
|
||||
- Repository verification inputs included runtime and storage code paths under `src/Signals/`, `src/Scanner/`, `src/RuntimeInstrumentation/`, `src/Attestor/`, and `src/EvidenceLocker/`.
|
||||
Reference in New Issue
Block a user