upvote

points

by raphinou15 hours ago |
comments
upvoteby darkamaul15 hours ago|
next
[-]
I’m maybe not understanding here, but isn’t it the point of release attestations (to authenticate that the release was produced by the authors)?

[0] https://docs.github.com/en/actions/how-tos/secure-your-work/...

reply
upvoteby arianvanp15 hours ago|
parent|
next
[-]
The problem is nobody checks.

All the axios releases had attestations except for the compromised one. npm installed it anyway.

reply
upvoteby raphinou15 hours ago|
parent|
[-]
Yes, that's why I aim to make the checks transparant to the user. You only need to provide the download url for the authentication to take place. I really need to record a small demo of it.
reply
upvoteby raphinou15 hours ago|
parent|
prev|
[-]
Artifact attestation are indeed another solution based on https://www.sigstore.dev/ . I still think Asfaload is a good alternative, making different choices than sigstore:

- Asfaload is accountless(keys are identity) while sigstore relies on openid connect[1], which will tie most user to a mega corp

- Asfaload ' backend is a public git, making it easily auditable

- Asfaload will be easy to self host, meaning you can easily deploy it internally

- Asfaload is multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected

- validating a download is transparant to the user, which only requires the download url, contrary to sigstore [2]

So Asfaload is not the only solution, but I think it has some unique characteristics that make it worth evaluating.

1:https://docs.sigstore.dev/about/security/

2: https://docs.sigstore.dev/cosign/verifying/verify/

reply
upvoteby est13 hours ago|
prev|
next
[-]
> without any validation that it was published by the expected author

SPOF. I'd suggest use automatic tools to audit every line of code no matter who the author is.

reply
upvoteby snthpy15 hours ago|
prev|
[-]
Overall I believe this is the right approach and something like this is what's required. I can't see any code or your product though so I'm not sure what to make of it.
reply
upvoteby raphinou15 hours ago|
parent|
[-]
Here's the GitHub repo of the backend code: https://github.com/asfaload/asfaload

There's also a spec of the approach at https://github.com/asfaload/spec

I'm looking for early testers, let me know if you are interested to test it !

reply