While our supply chain security story is rather good we do not generate user-verifiable provenance (e.g. in accordance with https://slsa.dev/provenance/v0.2).
Impact
Users are unable to attest validity of origins (sources and dependencies) of our builds and releases.
Ideal future situation
Signed provenance is published in a user-digestable format with every release.
Implementation options
Use package URLs and hashes from ebuilds and generate source package information
record build time / scripts and ebuilds repos' git hashes / build instructions for reproducibility
generate and store checksums of intermediate packages produced
generate and store checksums of binary files shipped with each package (optionally, at build time)
sign and publish provenance information with each build
Current situation
While our supply chain security story is rather good we do not generate user-verifiable provenance (e.g. in accordance with https://slsa.dev/provenance/v0.2).
Impact
Users are unable to attest validity of origins (sources and dependencies) of our builds and releases.
Ideal future situation
Signed provenance is published in a user-digestable format with every release.
Implementation options