-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC for linking packages to their source and build #626
Merged
+654
−0
Merged
Changes from 1 commit
Commits
Show all changes
39 commits
Select commit
Hold shift + click to select a range
6e6ec6c
RFC for linking packages to their source and build
feelepxyz 8677dcf
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 9d6d28e
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 3432621
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 620b247
Addressing PR comments
feelepxyz aec5894
certs > certificates
feelepxyz 3833cb4
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 821e639
Clarify provenance
feelepxyz 849b928
Add Jenkins comparison
feelepxyz 956afb4
Add tuf repo and root
feelepxyz 147777d
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 5ed0772
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 78a7ee7
Rename CLI arg
feelepxyz 262a0b3
Add Circle and GitLab to env table
feelepxyz 0c69e1c
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 6b77dc9
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz da8a901
Add note on sct and slsa prov verifier
feelepxyz 7c1b9ed
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz ce838d5
Update sequence diagram to include id token req
feelepxyz 996b6d5
Fix ref to reverse proxy
feelepxyz fdf8d9d
Clarify sigstore conf is from the configured reg
feelepxyz ab81e1c
Add note about perf benchmark
feelepxyz 718650a
Add note about commitments
feelepxyz edb7937
Add section on long-lived ci/cd secrets
feelepxyz 3a030f9
Add a summary to implementation details
feelepxyz a2c45c2
Update provenance generation
feelepxyz 65e2a91
Clarify sigstore-js env support
feelepxyz 6f67e0b
Add section on additional events
feelepxyz 90c3673
Add section on unanswered questions
feelepxyz 44d0c62
Add note about audit sig
feelepxyz fff96cd
Expand Web PKI
feelepxyz be4ecba
Expand CAs
feelepxyz 4927444
Run a transparency log monitor for Rekor
feelepxyz 17aa6a7
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 842db1e
Update non-goals and trusted builder
feelepxyz 0715e14
Update accepted/0000-link-packages-to-source-and-build.md
feelepxyz 16822dd
Merge remote-tracking branch 'origin/main' into link-packages-to-sour…
feelepxyz 9bfdb52
Add note about travis credits
feelepxyz 53e2206
Sigstore GA, release > publish attestation
feelepxyz File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you elaborate here on why a local machine that i can configure is different than a CI machine that i can configure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a state space problem. A CI/CD system that is hosted immutably and can be verified/audited will be simpler to reason about compared with a laptop that usually has lots of arbitrary stuff installed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Supporting signing from both CI/CD and local machines increases the scope of the initial work quite a bit so we've decided to just start with signing from CI/CD as the identity solution (OIDC id tokens issued by the CI provider) does not extend to local machines.
There are ways we can support signing from local machines in future, e.g. using proof of email linked to a maintainer but this gives different guarantees than signing from CI/CD.
Related to this, my hope is that all public packages are eventually published from open, auditable and automated systems with all the other benefits this brings like ephemeral environments and the ability to prove what went into a build. Maybe I'm deluding myself on the possibility of this though? 🤔
I also think the experience and selection of automated build systems could be vastly improved to make publishing from one as easy as toggling a button or two on whatever source control system you might use that just works with the package setup/registry and versioning scheme you use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@feelepxyz the possibility is only there if the community freely decides to make that move - and it’s not a free decision unless the existing mechanisms are equally privileged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there are two reasons why this is challenging:
I agree that things could be dramatically easier. Unfortunately that does require substantial investments, and it is seemingly often very challenging for certain teams to actually secure the necessary resources to be able to accomplish the outcomes that are required to achieve that ease.