-
-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a documented outline of the 3rd party Reproducible Attestation process #3949
Comments
I would change "Un-verified" to "Pending 3rd party verification" or something to that effect. Bonus, a link to "instructions on how to verify" so that any 3rd party could reproduce the build and provide an attestation would be interesting. Handwave. Assuming that "%age" is short for percentage, I'm not sure I understand it in this context. I actually like that Step 5 requires that the verifier be a marketplace member unless the barrier to entry is too high. It changes the "someone verified this" to "someone known to us with some kind of contractual relationship verified this" or even better "Company X verified this." That means a lot to the consumer. I think the reproducibleVerified attribute will need to be a counter and we will eventually want some way to get the list of verifiers. We had discussed having a specific release for "reproducible" so that someone could query for builds that were reproducible. That might not be necessary but I do like the idea of a clear release type. |
Yep, changed.
Agree
Yes, that's probably what we will need
So the Adoptium API will be extended to return something like "latest&verified", which will return the latest artifact with reproducibleVerified>0, as opposed to "latest" which will return simply the latest as today. |
true at this moment in time, but not necessarily in the future, since changes to support reproducibility were pushed upstream, to allow other distributors to also benefit |
I'd like to separate out the basic mechanism of recording verification build attestations from the details of a visual depiction of a verification (tick marks etc), and the policy of who we recognise as a trusted verifier (working group members etc). Though I do strongly believe that the mechanism we pick should allow anyone to record a verification attestation. I propose: To record reproducible attestations
To query reproducible attestations
Reproducible attestations depictions
p.s. Although I reference Sigstore above, I do note that they don't list CycloneDX Attestations as a currently supported type - potentially requiring a new definition. The store does support Intoto attestations today, but staying with CDX makes sense. |
Thanks @tellison I like the idea of using a "Rekor" ledger. There's a few technical issues/questions with Rekor:
|
Process Outline:
At Adoptium:
A 3rd Party:
The text was updated successfully, but these errors were encountered: