Please review the draft for March's report
danielsh at apache.org
Tue Apr 6 00:24:06 UTC 2021
Chris Lamb wrote on Mon, 05 Apr 2021 09:03 +00:00:
> Please review the draft for March's Reproducible Builds report:
I don't understand from that post what's so significant about sigstore,
even after having followed the link to upstream's press release.
The key technical points of upstream's PR seem to be:
> > Signing materials are then stored in a tamper-proof public log
> > Very few open source projects cryptographically sign software
> > release artifacts
> > sigstore seeks to solve […] by utilization of short lived
> > ephemeral keys with a trust root leveraged from an open and
> > auditable public transparency logs.
but none of that says what sigstore _actually does_, what attacks it
aims to thwart, why it's new/significant…
It's not our business to fix their press release, of course, but if we
link to something, we should ensure _our_ readers will be able to tell
what we link to and why it's significant. If their press release doesn't
explain that, then we could explain those bits ourselves, or link to
a more technical write-up (cf. https://m.xkcd.com/1301/), etc..
More information about the rb-general