New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please add SLSA provenance to your releases #12441
Comments
While this may be valuable, from your GitHub history it looks like you've created the same issue in many repositories. So, at first glance, this is a bit spammy. |
Spammy ? Encouraging well known Go projects (such as yours) to embrace and adopt a well-supported, well-known, open source supply-chain security project ? Clearly it wasn't on your radar, so I brought it to your attention. What a weird accusation to make ! What exactly do I have to gain from it chum ? 🤷 🤦 |
We don't use Goreleaser (main reason: It didn't scale to the number/size/complexity of the builds Hugo needs). |
It ...was...an ...example ... some "food for thought" ! Clearly of course I wasn't expecting you to copy/paste some random example off the internet. Sheesh. Tough crowd. Shall I just put you out of your misery and close this issue ? I mean really. I made a genuine suggestion about something I felt could increase the overall security posture of the project in a a technology environment that is subject to increasingly advanced attacks. Instead of "thanks", or "looks interesting, we'll think about it", or maybe even "do you have time to / would you like to submit a PR" I just get a bunch of hostility from the maintainers seemingly because "it wasn't my idea, so it must be bad". I think Hugo is a great project, I've been very fond of it and recommending it to many people. The maintainers ? Not so much... P.S. I'm going to unsubscribe from this issue, so don't bother replying, I won't see it. |
@udf2457 I'm not sure what you expect from us. A proposal in a open source repository needs to be as concrete and practical as possible, pointing to some generic links on the web isn't "as concrete and practical" as possible. |
Please add SLSA provenance to your releases.
It is easy to do on on Github, for example:
https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser
https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator
Background info:
https://docs.sigstore.dev/signing/overview/
The text was updated successfully, but these errors were encountered: