[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

24/66: icse-2022: Mention SLSA and Git{Lab,Hub}.

From: Ludovic Courtès
Subject: 24/66: icse-2022: Mention SLSA and Git{Lab,Hub}.
Date: Wed, 29 Jun 2022 11:32:00 -0400 (EDT)

civodul pushed a commit to branch master
in repository maintenance.

commit 1896b336dad04ab3da05cdbd3e8e621217a614da
Author: Ludovic Courtès <>
AuthorDate: Tue Aug 31 12:07:52 2021 +0200

    icse-2022: Mention SLSA and Git{Lab,Hub}.
 doc/icse-2022/security.sbib    | 19 +++++++++++++++++++
 doc/icse-2022/supply-chain.skb | 23 +++++++++++++++++++----
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/doc/icse-2022/security.sbib b/doc/icse-2022/security.sbib
index d7583f7..8a07e60 100644
--- a/doc/icse-2022/security.sbib
+++ b/doc/icse-2022/security.sbib
@@ -231,6 +231,25 @@ Thayer")
   (title "Executive Order on Improving the Nation’s Cybersecurity")
+(misc google2021:slsa
+  (author "Google, Inc.")
+  (year "2021")
+  (month "June") ;see
+  (title "Supply-chain Levels for Software Artifacts (SLSA)")
+  (url "";))
+(misc github2021:verify-commits
+  (author "GitHub, Inc.")
+  (year "2021")
+  (title "Managing commit signature verification")
+  (url 
+(misc gitlab2021:verify-commits
+  (author "GitLab, Inc.")
+  (year "2021")
+  (title "Signing commits with GPG")
+  (url 
 (defun skr-from-bibtex ()
   "Vaguely convert the BibTeX snippets after POINT to SBibTeX."
diff --git a/doc/icse-2022/supply-chain.skb b/doc/icse-2022/supply-chain.skb
index c10660d..03d4efb 100644
--- a/doc/icse-2022/supply-chain.skb
+++ b/doc/icse-2022/supply-chain.skb
@@ -239,7 +239,7 @@ in spirit to Debian’s apt or Fedora’s yum.  Unlike those, 
Guix builds
 upon the ,(emph [functional deployment model]) pioneered by Nix ,(ref
 :bib "dolstra2004:nix"), a foundation for reproducible deployment,
 reproducible builds, and provenance tracking.  Guix is essentially a
-“source-based” deployment tools: the ,(emph [model]) is that of a system
+“source-based” deployment tool: the ,(emph [model]) is that of a system
 where every piece of software is built from source, and pre-built
 binaries are viewed as a mere optimization and not as a central aspect
 of its design.])
@@ -988,8 +988,7 @@ containing “build recipe”.  To date, it appears that ,(tt 
[opam update])
 itself does not authenticate repositories though; it is up to users and
 developers to run Conex.])
-      (p [The in-toto framework ,(ref :bib 'torresarias2019:intoto) and
-similarly sigstore ,(ref :bib 'sigstore2021:web) can be thought of as a
+      (p [The in-toto framework ,(ref :bib 'torresarias2019:intoto) can be 
thought of as a
 generalization of TUF; it aims at ensuring the integrity of complete
 software supply chains, taking into accounts the different steps that
 comprise software supply chains in widespread use such as Debian’s.  In
@@ -1004,7 +1003,23 @@ project’s official binaries, as discussed in ,(numref 
:text [Section]
 :ident "background").  Conversely, in-toto’s approach to artifact flow
 integrity assumes a relative disconnect between steps that makes
 verification hard in the first place.  In a sense, in-toto addresses
-non-verifiability through attestation.])
+non-verifiability through attestation.  SLSA ,(ref :bib
+'google2021:slsa) and sigstore ,(ref :bib 'sigstore2021:web) take a
+similar approach, insisting on certification rather than allowing
+independent verification of each step.])
+      (p [While signed Git commits (and tags) are becoming more common
+and generally seen as good practice, we are not aware of other tools or
+protocols to support off-line Git checkout authentication.  Recently,
+hosting platforms such as GitHub and GitLab started displaying a
+“verified” tag next to commits signed with the OpenPGP key of the person
+who pushed them or that of their author—a very limited verification
+,(ref :bib '(github2021:verify-commits gitlab2021:verify-commits)).
+This mechanism depends on out-of-band data (keys associated with user
+accounts) and does not permit off-line checks; it also lacks a notion of
+authorization.  Furthermore, commits made ,(it [via]) the web interface
+are signed by the platform itself, which makes it a single point of
+trust of every hosted project.])
       (p [Earlier work focuses on the impact of malicious modifications
 to Git repository meta-data ,(ref :bib "torresarias2016:omitting").  An

reply via email to

[Prev in Thread] Current Thread [Next in Thread]