|
|
|
|
|
|
by dane-pgp
1707 days ago
|
|
|
> Q8: What should you look for when selecting artifacts from a registry? > ANSWER: That artifacts have been cryptographically and verifiably signed Great to see this becoming an expectation, or at least a well known aspiration. The link to the sigstore website provides a good introduction about how to achieve this goal.[0] There's no fundamental reason why getting a malicious binary onto someone's machine should be easier than getting malicious source code into a repo, but unfortunately catching malicious source code might be "the other 90% of the problem", and might ultimately require something like decentralised developer reputation vouching, which is far from being a solved problem. [0] https://www.sigstore.dev/ |
|
|