SBOMs and Artifact Signing for Releases

containerd / runwasi

Facilitates running Wasm / WASI workloads managed by containerd

Apache License 2.0

1.02k stars 84 forks source link

SBOMs and Artifact Signing for Releases #417

Open 0xE282B0 opened 7 months ago

0xE282B0 commented 7 months ago

My favorite cite about KWasm:

"So Kwasm operator breaks into the host node and sets up some containerd configuration imports of binary from wherever — this is not production ready" -@kingdonb

As the ecosystem has become more stable and mature, we have moved to the officially released shims, but it would be nice to be able to prove that the binaries are not compromised.

I would suggest providing SBOMs and signatures for the releases. WDYT?

kingdonb commented 7 months ago

I learned a new term that day, "ATO" - the reference is from our newbie-level OpenGovCon talk about WASM (and I'm so happy to hear it mentioned!) the recap article wherein you can find that quote, (context for those who don't wish to suffer through the video but wanted to get the gist of this talk anyway.)

devigned commented 7 months ago

Perhaps, we could package OCI artifacts with SBOMs that contain a shim. By doing that, we can have integrity hashes through the content registry, SBOMs to provide transparency about contents, and easy distribution via OCI. Thoughts?

0xE282B0 commented 7 months ago

I generally like distributing artifacts via OCI, pulling artifacts for a specific platform is quite convenient and it is easy to sign using cosign.