-
Notifications
You must be signed in to change notification settings - Fork 18
-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Produce cryptographic signing guide for package managers #10
Comments
@znewman01 great initiative! I would love to help out here and share any learnings from GitHub and working on provenance for npm. |
We covered some, but not all, of this content in #17. There were some requests for additional content on #17 (comment) that we could think about addressing in future docs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lots of ink has been spilled on cryptographic signing in package managers (see "Misc. references" below). And we've certainly had our fair share of discussion in this working group. Still, new package managers pop up every day and must rehash many of these conversations for themselves (not to mention existing package managers that want to add security features after-the-fact).
Subtleties involve:
This group is in a good position to produce some documentation (I've even written some about this though it's not in a digestible format) that covers:
I don't think we want to be too prescriptive, but we can help focus some of these discussions and make sure folks have all the relevant context when making decisions, plus even give step-by-step adoption guidelines.
Please feel free to add other references, other open questions, and (best) volunteer to coordinate this!
Misc. references
(Due to personal interest, I pay most attention to the proposals that involve Sigstore, but feel free to suggest others.)
The text was updated successfully, but these errors were encountered: