Closed di closed 1 year ago
This is great! One thing I would like to see added is a list of goals and non-goals focusing on what threats are addressed. For example: This prevents attackers who can forge TLS certs for GitHub from tampering with artifacts, but does not prevent an upstream repo from being compromised and Homebrew CI from automatically building/signing/distributing a malicious package. The latter is partially addressed in this proposal, but would not be 100% addressed until a requirement that all Homebrew upstream sources are signed is added to the CI builder's logic. A future proposal may add a config option to enable a TAP owner to mark their TAP as 100% signed so all packages within the TAP must have signatures before Homebrew CI should build/distribute.
The PR is missing some context, but from Slack I infer that this is a proposal for Alpha-Omega funding that is sponsored by the WG Securing Software Repos. Is that correct?
This is just a general proposal from this WG that could be submitted to any potential funder. Although we do plan to submit this to A/O for funding first, there isn't anything A/O-specific here.
Some feedback from the Homebrew maintainers on their Slack:
homebrew-core
faster/without the time + challenges of a full rebuild.
sign-fresh-bottle.yml
and sign-existing-bottle.yml
), and the "flag" day would then correspond to the day when all listed bottles are signed with sign-fresh-bottle.yml
rather than a mixture of the two.cc @mikemcquaid and @smillerdev, since I've summarized your feedback above; please correct me if I've missed or mistaken anything 🙂
Got it. The part I was missing from the PR description was that this is a "proposal from this WG that could be submitted to any potential funder".
I've updated the description!
Hi folks, thanks for all the reviews to date. Just an FYI that I'd like to merge this by EOD today, so we can submit it to A/O by the end of the week.
@di @woodruffw What do you think about adding a threat model as mentioned in https://github.com/ossf/wg-securing-software-repos/pull/20#issuecomment-1638574892?
What do you think about adding a threat model as mentioned in #20 (comment)?
I'm happy to do that; I'll open a PR in a bit.
Thanks everyone for your feedback here!
This adds a proposal by myself and @woodruffw to add code-signing to the Homebrew ecosystem.
Edit: The goal here is to have a proposal from 'within' this WG that could be submitted to any potential funder. We plan to submit this to Alpha/Omega for funding first.