package managers should use Content hashing for dependencies. Sensible, safer ... if it used something like IPFS it could even make the sharing simpler...
To be clear, this signing stuff only allows you to verify that a human looked at the list of dependencies, right? I think some more signatures should be in there, such as the signature of the company running the build (GitHub if using actions, etc.), as well as some sort of signed hash for any stdlib bundled in (for native, e.g. C++ apps). After that you also need each of the dependencies that were included to themselves be built with the same supply chain verification signature for any of this to mean anything, right?
I don't get the security model. You are worried that dependencies might be untrustworthy... so you run their arbitrary build code anyway, and then have that compromised environment generate the BOM and sign it? This sequence of operations seems fundamentally flawed to me.
This is StrangeLoop at its best. Educational and Entertaining.
Really enjoyed your presentation 👍
highly underrated!
package managers should use Content hashing for dependencies. Sensible, safer ... if it used something like IPFS it could even make the sharing simpler...
Awesome talk!
awesome talk!
To be clear, this signing stuff only allows you to verify that a human looked at the list of dependencies, right? I think some more signatures should be in there, such as the signature of the company running the build (GitHub if using actions, etc.), as well as some sort of signed hash for any stdlib bundled in (for native, e.g. C++ apps). After that you also need each of the dependencies that were included to themselves be built with the same supply chain verification signature for any of this to mean anything, right?
This guy is a *great* speaker!
I don't get the security model. You are worried that dependencies might be untrustworthy... so you run their arbitrary build code anyway, and then have that compromised environment generate the BOM and sign it? This sequence of operations seems fundamentally flawed to me.
29:17 moves on to not sha-pin his github actions O.O