Hi All,
I am sure everyone has heard about the recent Solarwinds software supply
chain attacks. This attack has made all software vendors think about
securing their supply chain, and it is even more applicable to linux
distributions which are made of thousands of components built from
sources they dont even have control over.
One possible step in this direction is the ability to ensure that there
is no distribution point tampering of binaries shipped in Fedora.
rekor is a an immutable tamper resistant ledger of metadata generated
within a software projects supply chain. Rekor will enable software
maintainers and build systems to record signed metadata to an immutable
record.
How would it work, would package maintainers need to be involved? Not
really, this could be a post-build thing, in which ones the rpms reach
stable and are signed, rekor would run on it and store the binary
metadata in the transparency logs.
I just wanted to send out a email to fedora folks to get a feel of this
and what you think, before really going into implementation or any other
details.
More information at:
https://sigstore.dev/what_is_sigstore/
https://github.com/sigstore/rekor
--
Regards,
Huzaifa Sidhpurwala / Red Hat Product Security
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
