Supply Chain Integrity For Polkadot and Parachains

Even though Polkadot release process is following a strict standard to ensure the build is fully reproducible, there is still room for improving how the dependencies are referenced so any parachain or code that are built based on a particular version of Polkadot use the exact same dependency as used for that version of Polkadot. The current practice where in Cargo.toml Polkadot uses a branch of substrate as a dependency doesn’t seem to be aligned with production level releases. I’m referring to the lines such as:
frame-system = { git = "", branch = "polkadot-v0.9.41" }
Here if we had gone for a tag instead of a branch, we could be sure that the referenced code would fetch the same logic in subsequent builds. This is so we align the shipment with Hermetic and Reproducible principles of SLSA 4. Any reason why we are not doing this?

1 Like