Feature Request P3
Status Update
No update yet.
Comments
lu...@gmail.com
Looking at [1], the only points that would apply to Gerrit Code Review as a tool would be:
(a) Bypassed code-review system
(b) Compromised source-control system
Do you see Gerrit being involved in other steps on the CI/CD chain?
[1]https://slsa.dev/spec/v0.1/index#slsa-101
(a) Bypassed code-review system
(b) Compromised source-control system
Do you see Gerrit being involved in other steps on the CI/CD chain?
[1]
na...@codeaurora.org
@Luca, I agree those are the points that apply to Gerrit features we may want to develop. @Han-Wen had mentioned in a community meeting in the past that Google was potentially going to do that.
However, that's not the goal of this issue. This issue is for Gerrit to be like any other OSS tool which publishes artifacts (gerrit.war, plugin-api.jar, etc) and for us to adopt the supply chain security best practices from SLSA for doing so.
However, that's not the goal of this issue. This issue is for Gerrit to be like any other OSS tool which publishes artifacts (gerrit.war, plugin-api.jar, etc) and for us to adopt the supply chain security best practices from SLSA for doing so.
lu...@gmail.com
> This issue is for Gerrit to be like any other OSS tool which publishes artifacts (gerrit.war, plugin-api.jar, etc) and for us to adopt the supply chain security best practices from SLSA for doing so.
What level of SLSA do you believe we are? What level of SLSA are we targeting in your opinion?
What level of SLSA do you believe we are? What level of SLSA are we targeting in your opinion?
na...@codeaurora.org
Looking at [1] I think we're at level 0. I don't think we need to target a specific level, but maybe other maintainers feel otherwise. I would be happy if we made any improvements, but I think making provenance available [2] is low hanging fruit.
[1]https://slsa.dev/spec/v0.1/levels#detailed-explanation
[2]https://slsa.dev/spec/v0.1/requirements#available
[1]
[2]
mi...@gmail.com
[Comment Deleted]
ek...@google.com
[Monorail components: SteeringCommittee]
ek...@google.com
[Monorail components: -ESC]
is...@google.com
Edits were made to reflect the following in Monorail: auto-CCs.
Description
SLSA is a set of standards and technical controls you can adopt to improve artifact integrity, and build towards completely resilient systems. It’s not a single tool, but a step-by-step outline to prevent artifacts being tampered with and tampered artifacts from being used, and at the higher levels, hardening up the platforms that make up a supply chain.
The Gerrit project publishes artifacts we expect to be downloaded and run, sometimes in very secure environments, and Gerrit itself aims to have robust security mechanisms. I think it therefore makes sense for Gerrit to adopt these standards and controls.
I don't think this is something we need to do urgently, but I had mentioned it in a past Community Meeting and realized I never added it to the backlog anywhere. I'm marking this as an ESC issue because I think it's a broad project decision that the maintainers and ESC should agree on.