by kuahyeow on 5/3/22, 9:45 PM with 27 comments
by RandomBK on 5/4/22, 1:15 AM
One thing I'm less happy about is how these sort of projects always tend to build up a whole parallel universe, dragging along a whole suite of dependencies and related projects (Cosign, Rekor, Fulcio, etc.)
I understand why we might want to fill gaps in existing open source tools, but it makes adopting these platforms a massive migration effort, where I need to go to several project's documentation to learn how everything works. Naming wise, I would also much prefer boring, descriptive names over the modern fancy project names.
by nooney on 5/4/22, 3:56 AM
[0]: https://security.googleblog.com/2022/04/improving-software-s...
[1]: https://github.blog/2022-04-07-slsa-3-compliance-with-github...
by password4321 on 5/4/22, 3:51 AM
https://docs.microsoft.com/en-us/archive/blogs/ieinternals/c...
> the signature blocks themselves can contain data. This data isn’t validated by the hash verification process, and while it isn’t code per-se, an executable with such data could examine itself, find the data, and make use of it
by dlor on 5/4/22, 3:05 AM
by alilleybrinker on 5/4/22, 1:59 AM
by badrabbit on 5/4/22, 11:30 AM
Short of those two, it just becomes a way to maintain walled gardens by app stores or a means of replacing opensource gpg package signing with centralized web-of-trust? I guess the cosign part means some decentralization like GPG ? I am not bashing it, it can help with Supply chain attacks, but I predict adoption woes and being used by malicious actors a lot without those two items. Is Firefox signed by Mozilla legit or is Firefox signed by Mozilla Corporation legit?
by netman21 on 5/4/22, 2:49 AM
by mshekow on 5/4/22, 4:56 AM
by chimbosonic on 5/4/22, 10:23 AM
by pineconewarrior on 5/4/22, 5:42 AM
In other words, kudos?
by adammfrank on 5/4/22, 2:23 AM