Please review the draft for March's report

[Santiago Torres-Arias]

> I think mentioning sigstore is value. Reproducible builds let you verify that
> a given build *is* generated from a given source; sigstore can let you
> verify that you got the *correct* source or build.

I think mentioning sigstore is a good idea (Full disclosure, I'm
involved in the effort), and I think it's somewhat of a natural
consequence to the work that Benjamin Hof[1] and Morten Linderud[2]
(both of them involved in this very community) started talking about.

However, I don't think that "sigstore can let you verify that you got
the *correct* source or build" is a correct way to frame things. For
that, you would need something like in-toto (so as to verify that the
source used is the same, that the output is the same, and that a
threshold of builders agree on the result of the operation).

Sigstore is useful in answering questions about artifact discovery
(i.e., to provide a log of the existing artifacts), when they appeared
and to remove equivocation about an artifact being published. It in fact
provides a pluggable type backend (early on, it was only in-toto
attestations) so that you can upload different types of attestations
about a software artifact. This way, you can upload signatures for
artifacts that are cross-ecosystems.  Ideally, you can achieve a more
global notion about the state of the software supply chain this way.

Do notice that verification is not part of the user story yet (i.e.,
anybody can claim to own any artifact).

Cheers!
-Santiago

[1] https://arxiv.org/abs/1711.07278
[2] https://bora.uib.no/bora-xmlui/handle/1956/20411
> 
> --- David A. Wheeler
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20210406/c93aeee3/attachment.sig>