Huzaifa Sidhpurwala wrote: > I am sure everyone has heard about the recent Solarwinds software supply > chain attacks. This attack has made all software vendors think about > securing their supply chain, and it is even more applicable to linux > distributions which are made of thousands of components built from > sources they dont even have control over. Yes, there is much that could be improved in this area. > One possible step in this direction is the ability to ensure that there > is no distribution point tampering of binaries shipped in Fedora. What would "distribution point" mean here? Repository mirrors? The master repository? mirrors.fedoraproject.org? > this could be a post-build thing, in which ones the rpms reach > stable and are signed, rekor would run on it and store the binary > metadata in the transparency logs. As it is now, mirrors can't modify RPM packages without a key that the clients have installed. Mirrors could however withhold security updates so that clients remain vulnerable. Is that a thing that Rekor could prevent? I believe Yum has a feature to verify signed repository metadata. I don't know why it's not used. If that verification would be turned on, are there any attacks that would still be possible then, that Rekor could prevent? > More information at: > > https://sigstore.dev/what_is_sigstore/ On that page I can't see anything but a page header and a pointless animation. Even the text that is right there in the HTML code is hidden. Instead it wants me to execute a bunch of Javascript from at least three different domains. When a website expects me to execute some unknown program before they'll even tell me who they are or what they do, then I'm much more likely to just ignore that website. Björn Persson
Attachment:
pgp6dmgdUyExX.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
