On Fri, Jun 11, 2021 at 7:49 AM Björn Persson <Bjorn@rombobjörn.se> wrote: > > Huzaifa Sidhpurwala wrote: > > I am sure everyone has heard about the recent Solarwinds software supply > > chain attacks. This attack has made all software vendors think about > > securing their supply chain, and it is even more applicable to linux > > distributions which are made of thousands of components built from > > sources they dont even have control over. > > Yes, there is much that could be improved in this area. > > > One possible step in this direction is the ability to ensure that there > > is no distribution point tampering of binaries shipped in Fedora. > > What would "distribution point" mean here? Repository mirrors? The > master repository? mirrors.fedoraproject.org? > > > this could be a post-build thing, in which ones the rpms reach > > stable and are signed, rekor would run on it and store the binary > > metadata in the transparency logs. > > As it is now, mirrors can't modify RPM packages without a key that the > clients have installed. Mirrors could however withhold security updates > so that clients remain vulnerable. Is that a thing that Rekor could > prevent? > > I believe Yum has a feature to verify signed repository metadata. I > don't know why it's not used. If that verification would be turned on, > are there any attacks that would still be possible then, that Rekor > could prevent? > Fedora Infrastructure has stonewalled on signing our RPM repositories for almost a decade. Reasons have ranged from "I don't like it" to "It's useless because metalinks" to "RPM repository format should be modified first". However, openSUSE signs their repositories and it works fine there. > > More information at: > > > > https://sigstore.dev/what_is_sigstore/ > > On that page I can't see anything but a page header and a pointless > animation. Even the text that is right there in the HTML code is hidden. > Instead it wants me to execute a bunch of Javascript from at least three > different domains. When a website expects me to execute some unknown > program before they'll even tell me who they are or what they do, then > I'm much more likely to just ignore that website. > It's a Linux Foundation project. It mostly has produced some Go code for supporting detached signatures for containers, since container images are not designed to have attestation and integrity signing. It's not very useful since no runtimes validate these things. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
