search

bazel-contrib / rules-template

A template for creating a new Bazel ruleset
Apache License 2.0
82 stars 22 forks source link

Verify that our release process meets Google security standards #99

Open alexeagle opened 1 year ago

alexeagle commented 1 year ago

In https://github.com/bazelbuild/rules_pkg/issues/716#issuecomment-1742206745 there's a suggestion that rules need complexity in their release process in order to make them secure.

I believe we have already followed excellent security practices in the way releases are created here. By only allowing a developer with write access to push a tag, there's no way to create a release with contents that aren't reproducible from the sources.

I'd be very interested to know of any vulnerabilities with our approach, as there are now dozens of rulesets based on this template.

alexeagle commented 10 months ago

Note, I met a Googler at PackagingCon who works in OSS security and got the sense that our approach here is totally fine. I wish I had remembered this issue at the time and gotten that person's sign-off.