Please add SLSA provenance to your releases

microsoft / garnet

Garnet is a remote cache-store from Microsoft Research that offers strong performance (throughput and latency), scalability, storage, recovery, cluster sharding, key migration, and replication features. Garnet can work with existing Redis clients.

https://microsoft.github.io/garnet/

MIT License

9.72k stars 460 forks source link

Please add SLSA provenance to your releases #422

Closed udf2457 closed 1 week ago

udf2457 commented 1 month ago

Feature request type

enhancement

Is your feature request related to a problem? Please describe

Thank you for your work on garnet.

However, given the nature of the modern world we live in, it would be nice if you could add SLSA provenance to your releases.

Describe the solution you'd like

Add SLSA provenance to your releases.

This could be through Sigstore keyless signing, Github artifact attestations or any other method.

Describe alternatives you've considered

No response

Additional context

No response

darrenge commented 2 weeks ago

I read through the SLSA provenance and it doesn't look like we can implement anything above SLSA1 because our builds are done using Azue Dev Ops. However, all our release files are signed using Microsoft approved signing.

Also, we are looking into adding our containers to Microsoft Container Registry which has its own strict processes to ensure supply chain integrity.

Is there something else that you were thinking of?

darrenge commented 1 week ago

Closing out since it was answered