Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please add SLSA provenance to your releases #12441

Open
udf2457 opened this issue Apr 26, 2024 · 5 comments
Open

Please add SLSA provenance to your releases #12441

udf2457 opened this issue Apr 26, 2024 · 5 comments
Labels
Proposal
Milestone
v0.127.0

Comments

@udf2457
Copy link

udf2457 commented Apr 26, 2024
edited

Please add SLSA provenance to your releases.

It is easy to do on on Github, for example:

https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser
https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

Background info:
https://docs.sigstore.dev/signing/overview/
@jmooring
Copy link
Member

While this may be valuable, from your GitHub history it looks like you've created the same issue in many repositories. So, at first glance, this is a bit spammy.

@udf2457
Copy link
Author

udf2457 commented Apr 27, 2024

Spammy ? Encouraging well known Go projects (such as yours) to embrace and adopt a well-supported, well-known, open source supply-chain security project ? Clearly it wasn't on your radar, so I brought it to your attention.

What a weird accusation to make ! What exactly do I have to gain from it chum ? 🤷 🤦

@bep
Copy link
Member

bep commented Apr 30, 2024

It is easy to do on on Github, for example:

We don't use Goreleaser (main reason: It didn't scale to the number/size/complexity of the builds Hugo needs).

@bep bep removed the NeedsTriage label Apr 30, 2024
@bep bep added this to the v0.126.0 milestone Apr 30, 2024
@udf2457
Copy link
Author

udf2457 commented Apr 30, 2024

It ...was...an ...example ... some "food for thought" !

Clearly of course I wasn't expecting you to copy/paste some random example off the internet.

Sheesh. Tough crowd. Shall I just put you out of your misery and close this issue ?

I mean really.

I made a genuine suggestion about something I felt could increase the overall security posture of the project in a a technology environment that is subject to increasingly advanced attacks.

Instead of "thanks", or "looks interesting, we'll think about it", or maybe even "do you have time to / would you like to submit a PR" I just get a bunch of hostility from the maintainers seemingly because "it wasn't my idea, so it must be bad".

I think Hugo is a great project, I've been very fond of it and recommending it to many people. The maintainers ? Not so much...

P.S. I'm going to unsubscribe from this issue, so don't bother replying, I won't see it.

@bep
Copy link
Member

bep commented Apr 30, 2024

@udf2457 I'm not sure what you expect from us. A proposal in a open source repository needs to be as concrete and practical as possible, pointing to some generic links on the web isn't "as concrete and practical" as possible.

@udf2457 udf2457 closed this as completed Apr 30, 2024
@bep bep reopened this Apr 30, 2024
@bep bep modified the milestones: v0.126.0, v0.127.0 May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal
Projects
None yet
Milestone
v0.127.0
Development

No branches or pull requests
3 participants
@jmooring @bep @udf2457