|
|
|
|
|
|
by st3fan
588 days ago
|
|
|
Well, yes and no. From the perspective of an infosec professional who is focussed on supply chain security I can tell you that your package having an attestation from a trusted platform like GitHub or GitLab gives me a warm feeling. It is not the only thing we will look at but definitely part of a longer list of checks to understand risk around dependencies. With an attestation from GitHub I know at least that the workflow that ran it and the artifacts it produced will be 100% traceable and verifyable. This doesn't mean the code was not malicious, but for example it will rule out that someone did the build at home and attached an alternative version of an artifact to a GitHub release. Like how that was done with the xz project. It is fine to not like GitHub, but I think that means we need more trusted builders. Developers cannot be pushed toward just GitHub. |
|
|
Yes, agreed. This is why the docs explicitly say that we’re planning on enabling support for other publisher providers, like GitLab.