CIP-0052? | Cardano audit best practice guidelines #252
Conversation
There was a problem hiding this comment.
Looks good to me, especially since already extensively reviewed. I do remember when this doc was posted on the forum & I think there were no comments there because it already looks complete.
Ordinarily I would recommend adding the forum link (https://forum.cardano.org/t/cip-proposal-cardano-audit-best-practice-guidelines/100022) as a Comments-URI but no sense doing that in this case because there's been no discussion there.
I'm not directly involved in the process that assigns CIP numbers but wanted to make sure this had 1 of the 2 required approving reviews: the next CIP meeting is on 10 May and probably @KtorZ and/or others could assign a number & push it through at that time, if not before.
Here is the link to that meeting if you would like to follow along or attend & speak, to assure it's approved & merged on time: https://www.crowdcast.io/e/cip-editors-meeting-44/register
There was a problem hiding this comment.
Did a first round of very "surface review". Few suggestions already however:
-
Perhaps provide a concrete example of an audit request for some fake project, just to illustrate a bit the guidelines. Some of the wording in the document is a bit subjective (e.g. 'clearly specify') and would really depends on developers' own standards I reckon. Having some example which show where to set the bar could be beneficial.
-
Would it be worth it to perhaps have a list of auditors and their point of contact at the end of the CIP? We could encourage auditing companies to come and add themselves here for visibility and at the same time, make it 'low effort' for interested projects to find auditors.
-
I like the on-chain specification contract interface idea which could in itself, be a separate CIP defining a common wording to describe the interface of on-chain scripts (think, OpenAPI for Cardano contraccts, cc @scarmuega).
-
Wild idea also, borderline in scope with this CIP but an idea nonetheless, would it makes sense to standardize the process by which auditors may confirm / advertise their audits? via for example, an on-chain transaction with metadata recording on-chain versions (e.g. script hashes) of the contract that they have audited, when, as well as the result of the audit. This could leverage the chain to provide proofs of audits at given point in time.
| Comments-Summary: No comments yet. | ||
| Comments-URI: https://github.com/cardano-foundation/CIPs/wiki/Comments:CIP-\? | ||
| Status: Draft | ||
| Type: Process |
There was a problem hiding this comment.
Fine with me.
| * An estimate of the scale of the audit work, e.g. the number of lines in the on-chain code to be audited, or the code itself, in its current state of development. | ||
|
|
||
| ### Submission | ||
| In order to be audited, developers will need to supply the following documentation. |
There was a problem hiding this comment.
It seems like this section is "the meat" of the CIP, though it comes only after 100 lines. I'd suggest moving this upwards and have the glossary + FAQ moved after or as annexes (with perhaps a mention early on "you can find definitions of the terms used in this CIP in annex A").
There was a problem hiding this comment.
Happy to do that.
Co-authored-by: Matthias Benkort <5680256+KtorZ@users.noreply.github.com>
Happy to do that.
My only concern is about whether that confers some sort of approval on those listed. This may be something that legal would be unhappy with, as might those excluded from the list in some way.
Yes.
That's precisely what we're aiming to do. The delay in this has come from discussions about ways in which DApps can be registered on Cardano, which leads into questions of identity. Once that's resolved the plan is to build on top of that. |
|
Hi folks - is there any update on the meeting on 10 May? If we were able to get a number for this, and make it visible, that would be great. |
|
I'll be assigning a tentitative number today and minutes from the meeting will be available soon enough too. In brief: we brought attention to this CIP in the call for DApp developers to have a look. We think it makes sense and we'd like to move it as "ready for review" for the next call, so giving a full 2 weeks for people to review and contribute to the discussion. In the meantime, we'll assign a number to it and unless major concerns are raised against (which I see as quite unlikely), it'll move to the next phase in the next bi-weekly meeting. |
KtorZ
changed the title
|
@simonjohnthompson in terms of editorial work, you may also:
|
|
Any update after the CIP meeting on 24-05-2022? |
Added appendices with cardano auditors list and sample audit report.
|
Committed 6-6-22
|
These guidelines are the result of a process of discussion between IOG staff, and members of the audit and academic communities, over a series of online meetings in February and March 2022. Audit organisations involved include Tweag, WellTyped, Certik, Runtime Verification, BT Block, MLabs, Quviq and Hachi/Meld, all of which supported the guidelines outlined here.
The CIP has been in the forum for one week now. It would be really helpful to have this reach visible status by 17 May, for discussion at meetup in Barcelona on Certification and Audit on 17-18 May.