Please review the draft for March's report

Daniel Shahaf danielsh at apache.org
Tue Apr 6 19:18:44 UTC 2021


Santiago Torres-Arias wrote on Tue, 06 Apr 2021 18:17 +00:00:
> On Tue, Apr 06, 2021 at 05:02:58PM +0000, Daniel Shahaf wrote:
> > > Do notice that verification is not part of the user story yet (i.e.,
> > > anybody can claim to own any artifact).
> > 
> > So, if I understand correctly, sigstore doesn't prove to third parties
> > that Alice had signed foo; rather, sigstore simply states "We have
> > witnessed Alice sign foo".  Alice doesn't actually need to be involved
> > for sigstore to be able to say that.  Thus, I think the technical
> > details boil down to """
> 
> Well, yes in a sense sigstore allows you to get a key based on oidc
> (similar to let's encrypt), or allows you to stick your usual signatures
> in the log (i.e., the witnessing element you're mentioning). Let me try
> to rephrase on the text below and see if I can help with that.
> 
> > 
> > diff --git a/_reports/2021-03.md b/_reports/2021-03.md
> > index 080f089..52dd630 100644
> > --- a/_reports/2021-03.md
> > +++ b/_reports/2021-03.md
> > @@ -18,8 +18,6 @@ In our monthly reports, we try to outline the most important things that have ha
> > ⋮
> 
> I made some minor edits, that I think may help with clarity.

Thanks!

Where are those edits?  I don't see them in reproducible-website.git or in your reply.

> I wasn't trying to be incredibly pedantic about the phrasing, but
> rather to be upfront about sigstore not having a trust policy (yet).
> Sigstore is actively working with communities (such as this one) to
> better identify what policies make sense (e.g., to allow to represent
> and enforce a build being reproducible).
> 
> > Given that you're involved the effort, and perhaps aware of plans to
> > address this in the future, perhaps you could propose better text for
> > the blog post?
> 
> Definitely, I should've engaged more with the early LF press-releases (I
> try to stick to systems building, research and education). I supplied a
> quote as a Purdue University professor, but that's as far as my
> engagement was with the press push.
> 
> My earlier email is intended to help disambiguate. I agree that the
> blogpost/announcement is quite content-free when read through with a
> fine comb.

By "blog post" I actually intended to refer to r-b's monthly report,
since that one is due to be published tomorrow, but clarifying
sigstore's docs is of course also a good thing ☺

Cheers,

Daniel


More information about the rb-general mailing list