Do we then need to include package hashes into mops to defend against malicious nodes?

The mops canister could compute a hash of each released version and make it available through a replicated query. The local mops binary could then continue to retrieve the code through a non-replicated query and compare its hash against the hash retrieved by a replicated query.

Assuming MOPS uses the default asset canister to host the packages then this verification is almost-free. The asset canister adds certification, but the receiving side has to do the checking. @NathanosDev would be the right person to talk to for this @ZenVoich

Unfortunately it looks like the backend is completely custom, so a custom certification would need to be added.

@timo’s solution to use a replicated query to retrieve the package metadata and then use this to secure the query call that retrieves the actual package is interesting, but if the hash of each package is already calculated then you can save the extra replicated query call by putting it into a merkle tree using the ic-certification package and then setting the root hash as the canisters certified data.

But then, as @Vivienne mentioned the certification needs to be verified on the client side. Since the CLI is written in JavaScript, it can follow a similar approach to what the Service Worker used to do: ic/validation.ts at 80951dd80ab036ae595012142556b37bb7dfabe7 · dfinity/ic · GitHub

Basically a package is downloaded only once to the global cache and then installed from there.

What if you get the hash of the package via a replicated query call, save it locally, and use the cli to check the hash of local files without using certified data?

If the package files and hashes are cached, then there is no need to make any requests to the canister.

What does “global cache” mean and where is it located on the filesystem?

Now it is ~/mops, will be changed to ~/.cache/mops in the future

This sounds good to me since the number of replicated queries will be low

Thanks, I was looking for this. Currently, if you have a package github_X@main then mops doesn’t detect new commits to that branch. Now I know which cache to delete because deleting .mops/_github/X@main in the project directory wasn’t enough.

Also you can use mops cache clean

How do you count the number of downloads?

CLI notifies canister every time a package is installed(when there is no package cache in .mops directory)

So a CI workflow run will then most likely increase it.

Anniversary update!

I started developing mops at the SUPERNOVA hackathon 1 year ago.
Since then there have been 49 packages published and 12k downloads. I would like to thank everyone who uses mops and those who publish their packages on mops. For package authors, even more than thanks - read to the end

Don’t forget to update mops cli to get new features:

npm i ic-mops -g

New command "mops remove <pkg>"

New cli command to remove package from mops.toml and cached files from .mops folder.

User profile

Use mops user set name <username> to set your username (also github/twitter)

Example:

mops user set name zen
mops user set github ZenVoich
mops user set twitter mops_one

How it looks on the site:

Click on user name to search all user packages:

image990×852 44 KB

Private key encryption

Now you can encrypt the private key imported from dfx with a password.
If you have already imported the private key, you will need to re-import it in order to encrypt it.

Package documentation

No extra steps required, just publish your package and the documentation will be generated and published as well.

image2054×1698 250 KB

New packages published on mops

• certified-cache - A single interface that stores key-value pairs and certifies their hashes for use as certified variables or assets.
• server - An express-like server for Motoko
• star - A Motoko library for handling asynchronous and trappable behavior with the async* functions.
• linked-list - a doubly linked list with functions for node level access
• assets - Asset canister functionality for your canister
• libsecp256k1 - Motoko port of libsecp256k1
• evm-txs - EVM transaction creation, encoding, and decoding in pure Motoko
• vector - Memory-efficient resizable array (replaces Buffer)
• candy - Library for Converting Types and Creating Workable Motoko Collections
• kyc - library provides a client for interacting with icrc-17 kyc servers
• origyn-nft - The reference implementation for the ORIGYN NFT
• prng - Statistical pseudo-random number generators
• ckbtc-types - Types and interfaces for interacting with ckBTC canisters(minter, ledger, index, archive)
• stableheapbtreemap - An imperative BTreeMap that can persist across upgrades via a stable variable in heap memory
• enumeration - Add-only set of keys with numbering and two-way lookup.
• splay - Splay tree library

Cycles Airdrop!

Everyone who has published a package on mops is eligible to claim 15 TC + 1 TC for each published package!

A total of ~430 TC will be distributed.

Snapshot was taken yesterday (31.05.2023). You must claim your airdrop within a month.

Check how many cycles you can get

mops airdrop check

Claim (cycles will be sent to specified canister)

mops airdrop claim <canister-id>

Does mops install pull in dependencies recursively?

Yes, it installs all transitive dependencies

Also through https/github links?

Yes, github dependencies too

Update

mops init prompt

mops init will ask you for package details and initialize the default package files(license, test, readme, .gitignore, github workflow)

image787×288 19 KB

image735×436 34 KB

New command - mops bump

New command helps you to bump your package version(updates version = "x.x.x" in mops.toml)

mops bump major - bump major part of version (X.y.z)
mops bump minor - bump minor part of version (x.Y.z)
mops bump patch - bump patch part of version (x.y.Z)

Running without the argument mops bump will show prompt:

Update

Package categories

Improved discoverability of Motoko packages on https://mops.one

image1378×1160 79 KB

Package test stats

Package tests will be run on publish and attached to the package version

image1713×1446 196 KB

Package file stats

For newly published packages the total package size and number of files are displayed.

image1405×624 52.4 KB

New command - mops outdated

mops outdated

Outputs available dependency updates:

New command - mops update

Update all dependencies:

mops update

Update only a specific dependency:

mops update vector

New command - mops sync

Analyzes source code and:

• adds/installs missing packages that are used in the source code but are not listed in mops.toml
• removes unused packages listed in mops.toml but not imported in the source code

mops sync

New packages published on mops

• sha2 - Optimized implementation of all SHA2 functions
• rxmo - RxMO is a library for reactive programming using Observables, to make it easier to compose asynchronous or callback-based code.
• rxmodb - RxMoDb is a Motoko Database using Vector for its main storage and BTree for indexes.
• swb - Sliding window buffer with random access
• deflate - Deflate compression and decompression algorithm with support for the GZIP file format
• certified-http - A single interface that stores key-value pairs and certifies their hashes for use as certified variables or assets.
• candb - candb is a flexible, performant, and horizontally scalable non-relational multi-canister data store built for the Internet Computer.
• web-io - set of modules for creating http requests and handling responses.
• http-types - Canister HTTP interface types used in http_request and http_request_update
• backup - On-chain backup/restore system
• rbac-motoko - Role-Based Authentication Class
• datetime - A library for DateTime values and manipulation in Motoko
• motoko-certified-assets - Certified assets on Internet Computer

Is there (or should there be) a way to specify in mops.toml the minimal compiler version that a package requires?