docs: rfc-1101 tapplet

[karczuRF]

The aim of this Request for Comment (RFC) is to propose the Tapplet concept. Tapplets are dedicated Tari's applets registered on the L1 to ensure a superior level of security for network users.

[stringhandler]

Looking good so far. We need to have a signature to make sure that the contents have not been changed

[CjS77]

Good start, but needs a bit more detail to understand the proposal completely.

[CjS77]

Todo - update link after RFC 1100 is merged.

[CjS77]

TODO the tapplets Registry (another RFC will describe it) => [Tapplets Registry](link/to/rfc/)

[CjS77]

Can we think of an alternative? You points are fair, but npm has such a dismal security record that it might hurt the perceived integrity of the product.

Off the top of my head, I can't think of an alternative, besides IPFS, obviously.

Otherwsie maybe we can add armour to the npm packages, e.g. by utilitsing elements of https://theupdateframework.com ?

[karczuRF]

npm has such a dismal security record

Could you please elaborate on what you mean by that?
This is really good point and I'm gonna include this in the RFC, just need more context to compare with (if any) alternatives.
npm is as secure as IPFS at this point, because the idea of the registry based on checking the checksum of each version and only the codeowner of the tapplet can register the new version. Thus each version is stored separately in the registry.

TUF might be the way to go!

[CjS77]

Name of, and
Public key of publisher?

[karczuRF]

You mean this should be included in the tapplet manifest? I didn't add it because I guess npm package source could be enough, but definitely it's worth considering! Also I'll add it to RFC.

[CjS77]

Some questions that arise that aren't clear from the current text:

• How do you propose managing upgrades? It's a complex topic on it's own to be sure.
• Where does the manifest live / Are there commitments to it anywhere?
• The manifest is mutable. How do you handle attempts to change the content hash (to point to a malicious app) without changing the version? (If it's meant to be immutable, the status field isn't useful.)

[karczuRF]

These are really good points! I'll described them detailed in the RFC document, here just briefly.

1. Each version of a tapplet needs to be registered separately. Once registered and listed in Tapplets Registry (ofc with checksum and so on) it is not planned to changed any data and upgrade is done within new PR to the Tapplet Registry. Only codeowner of a specific version can do it.
2. Tapplet's manifest, tapplet.manifest.json, is placed in the tapplet package (I'll add sample tapplet package structure to visualize it)
3. Before adding a tapplet to the Registry, CI will check if proposed package has correct structure, valid checksum etc. If does - next CI will generate tappletsRegistry.manifest.json file. So the contect hash can't be updated without checking an app before. Next version can be added with a new PR to the Tapplets Registry repo only by the codeowner.

[CjS77]

LGTM

[stringhandler]

Can you explain why a Yat is needed. IMO yats should not be involved

[karczuRF]

Thanks for that question. Basically Yat integration was just an idea, because as I know the Tari Aurora app already has Yat support, so it could be used as part of the Tari. But it's ok to skip it and not involve Yat at all.