| ▲ | darkamaul 2 hours ago | |||||||
I’m maybe not understanding here, but isn’t it the point of release attestations (to authenticate that the release was produced by the authors)? [0] https://docs.github.com/en/actions/how-tos/secure-your-work/... | ||||||||
| ▲ | raphinou 2 hours ago | parent | next [-] | |||||||
Artifact attestation are indeed another solution based on https://www.sigstore.dev/ . I still think Asfaload is a good alternative, making different choices than sigstore: - Asfaload is accountless(keys are identity) while sigstore relies on openid connect[1], which will tie most user to a mega corp - Asfaload ' backend is a public git, making it easily auditable - Asfaload will be easy to self host, meaning you can easily deploy it internally - Asfaload is multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected - validating a download is transparant to the user, which only requires the download url, contrary to sigstore [2] So Asfaload is not the only solution, but I think it has some unique characteristics that make it worth evaluating. | ||||||||
| ▲ | arianvanp 2 hours ago | parent | prev [-] | |||||||
The problem is nobody checks. All the axios releases had attestations except for the compromised one. npm installed it anyway. | ||||||||
| ||||||||