Open goern opened 2 years ago
fridex
commented
2 years ago It might be a good idea to wait for upstream to establish signing artifacts before proceeding with this one - see PEP-480. Let's wait for upstream implementation for this and standards established to have proper implementation following Python packaging standards.
codificat
commented
2 years ago /triage accepted /priority important-longterm
sesheta
commented
2 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale
sesheta
commented
2 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
codificat
commented
2 years ago /lifecycle frozen
codificat
commented
2 years ago It might be a good idea to wait for upstream to establish signing artifacts before proceeding with this one - see PEP-480. Let's wait for upstream implementation for this and standards established to have proper implementation following Python packaging standards.
Current status seems to be:
Is your feature request related to a problem? Please describe. tbd
High-level Goals With the current provenance checking method, we provide some valid to the user, to increase the potential value, we want to base provenance checks based on sigstore. This way we could report which parts of the software stack lack strong supply chain security and suggest actions to the developers #DevSecOps
Describe the solution you'd like tbd
Describe alternatives you've considered sha based provenance checks
Additional context n/a
Acceptance Criteria tbd