Are there plans to integrate it with something like Crev[0] for tying trusted code/security reviews to the binary artefacts?
I suppose the people you trust to audit some code will likely not be the same people you trust to do build verification for you, but it might be nice to manage those trust relationships in a single UI/config.
Perhaps we need better tools for helping manual code review. Detecting high-entropy strings would be a useful semi-automated check to find obfuscated code and accidentally-committed secret keys.
I think there should also be a culture of ensuring that a new patch release of some software passes the acceptance tests of the previous patch release (without changing or removing the tests).
A similar test for linting rules should also help (especially if those rules are designed to prevent Unicode homoglyph attacks), and a check for new uses of dangerous APIs like filesystem or network access would assist reviewers too.
Of course there is almost unlimited potential for underhanded code, if an attacker is skilled and patient enough to carefully introduce subtle bugs over time, but I think that a meaningful number of attacks could be avoided with these measures in place.
It'd be wonderful to have a quick what-it's-for and what's-it-not-for, eli5 style, on that home page. The current page is a bit light on details.
Is sigstore relevant only for signing Linux distributions, or do you see it being relevant for language specific package managers, like rubygems/npm/pip/...?
I suppose the people you trust to audit some code will likely not be the same people you trust to do build verification for you, but it might be nice to manage those trust relationships in a single UI/config.
[0] https://github.com/crev-dev/crev