search

bazel-contrib / rules-template

A template for creating a new Bazel ruleset
Apache License 2.0
71 stars 20 forks source link

Verify that our release process meets Google security standards #99

Open alexeagle opened 9 months ago

alexeagle commented 9 months ago

In https://github.com/bazelbuild/rules_pkg/issues/716#issuecomment-1742206745 there's a suggestion that rules need complexity in their release process in order to make them secure.

I believe we have already followed excellent security practices in the way releases are created here. By only allowing a developer with write access to push a tag, there's no way to create a release with contents that aren't reproducible from the sources.

I'd be very interested to know of any vulnerabilities with our approach, as there are now dozens of rulesets based on this template.

alexeagle commented 5 months ago

Note, I met a Googler at PackagingCon who works in OSS security and got the sense that our approach here is totally fine. I wish I had remembered this issue at the time and gotten that person's sign-off.