Hacker News new | ask | show | jobs
by remram 588 days ago
Hopefully the attestation is bound to a specific commit, so you can know the binaries came from the source?

Otherwise I don't get it.
2 comments
woodruffw 588 days ago
Yes, it’s bound to a specific commit; we just don’t present that in the web UI yet. If you click on the transparency log entry, you’ll see the exact commit the attestation came from.
link
guappa 588 days ago
It doesn't seem to be from what I can see. Only states that the upload came from a gh runner.
link
woodruffw 588 days ago
See adjacent comment above.
link
guappa 584 days ago
Ok that's at least something.

But my CI can download and run code from everywhere, so that doesn't mean that I can know what is being uploaded just looking at the git repository alone.

link