Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify that our release process meets Google security standards #99

Open
alexeagle opened this issue Oct 5, 2023 · 1 comment
Open

Verify that our release process meets Google security standards #99

alexeagle opened this issue Oct 5, 2023 · 1 comment
Assignees
@alexeagle

Comments

@alexeagle
Copy link
Contributor

In bazelbuild/rules_pkg#716 (comment) there's a suggestion that rules need complexity in their release process in order to make them secure.

I believe we have already followed excellent security practices in the way releases are created here. By only allowing a developer with write access to push a tag, there's no way to create a release with contents that aren't reproducible from the sources.

I'd be very interested to know of any vulnerabilities with our approach, as there are now dozens of rulesets based on this template.
@alexeagle alexeagle self-assigned this Oct 5, 2023
@alexeagle alexeagle mentioned this issue Oct 5, 2023
Closed
@alexeagle
Copy link
Contributor Author

Note, I met a Googler at PackagingCon who works in OSS security and got the sense that our approach here is totally fine. I wish I had remembered this issue at the time and gotten that person's sign-off.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexeagle alexeagle

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexeagle