Open vielmetti opened 3 years ago
kaniini
commented
3 years ago There is also the question about whether a compromised developer machine could be used to upload malicious APKs to the master mirror. To answer the question, developers themselves do not have the ability to upload to the master mirror, but I am admittedly not sure how such an attestation could be verified by an auditor.
dlorenc
commented
3 years ago Hi @vielmetti and @kaniini!
I'm very sorry about the errors made here. I know the Alpine puts a huge amount of effort into securing their build and packaging system, and you as a community do an excellent job at this. I can either get the corrections you outlined made in the documentation or remove the Alpine example entirely - whichever you would prefer.
I've sent https://github.com/slsa-framework/slsa/pull/64 as a start for fixing up this content. If you're up for it, I'd love any other feedback on how to either correct this or switch to a different example.
kaniini
commented
3 years ago Thanks Dan!
kaniini
commented
3 years ago I think leaving the alpine example is fine! There are certainly a desire to answer these kinds of questions about Alpine, and our efforts to implement reproducible builds etc will hopefully help in some ways. I think we can get alpine to SLSA 3, which is pretty good.
joshuagl
commented
3 years ago I think leaving the alpine example is fine! There are certainly a desire to answer these kinds of questions about Alpine, and our efforts to implement reproducible builds etc will hopefully help in some ways. I think we can get alpine to SLSA 3, which is pretty good.
It's a bit off-topic for this thread, but I am very excited to read that the Alpine project is looking to answer more of these kinds of questions and plans to implement reproducible builds. Is there somewhere we can track, and possibly contribute, to these two efforts? I took a look around Gitlab and the wiki and didn't manage to find anything.
kaniini
commented
3 years ago There is a reproducible builds interest group forming in #alpine-reproducible on OFTC. We haven't had a meeting yet, because getting 3.14 release caught up and out the door took priority.
joshuagl
commented
3 years ago Thanks @kaniini, I'll join there.
The README.md file goes through an extended discussion of the build process for a
curlDocker image, without any obvious evidence that the author has been in communications with the Alpine team to better understand how they do things and where those processes are documented.For example, "The APKBUILD includes a sha256 hash of this file. It is not clear where that hash came from."
is documented here, at https://wiki.alpinelinux.org/wiki/APKBUILD_Reference
"The checksums are normally generated and updated by executing
abuild checksumand should be the last item in the APKBUILD."