public inbox for overseers@sourceware.org
 help / color / mirror / Atom feed
From: "mark at klomp dot org" <sourceware-bugzilla@sourceware.org>
To: overseers@sourceware.org
Subject: [Bug Infrastructure/29615] prototype & document SOP for signed-git-op repo
Date: Tue, 27 Sep 2022 11:45:57 +0000	[thread overview]
Message-ID: <bug-29615-14326-sI3v0eDM86@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-29615-14326@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=29615

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mark at klomp dot org

--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
It would be nice to go through the source integrity threats identified in
https://slsa.dev/spec/v0.1/threats

For a sourceware project that means checking section (A) "Submit unauthorized
change" of:
https://slsa.dev/spec/v0.1/threats#source-integrity-threats

Almost all of those are policy issues, but it would be good to note where our
setup doesn't support adopting a specific policy change (if wanted, I think
some of there policy changes are a bit heavy-handed, not everybody wants to be
SLSA4 compliant, but it would be nice to make sure that technically a project
can choose to adopt them).

-- 
You are receiving this mail because:
You are the assignee for the bug.

  parent reply	other threads:[~2022-09-27 11:45 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-26 13:30 [Bug Infrastructure/29615] New: " fche at redhat dot com
2022-09-26 16:57 ` [Bug Infrastructure/29615] " serhei at serhei dot io
2022-09-26 17:20 ` serhei at serhei dot io
2022-09-26 17:39 ` ezannoni at gmail dot com
2022-09-27 11:45 ` mark at klomp dot org [this message]
2022-09-27 13:23 ` serhei at serhei dot io
2022-09-27 20:10 ` mark at klomp dot org
2023-06-01 19:54 ` mark at klomp dot org
2023-10-14  1:02 ` fche at redhat dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-29615-14326-sI3v0eDM86@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=overseers@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).