Mark Lodato via curl-library
2021-04-07 17:00:41 UTC
[In response to: https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/]
Hi curl maintainers,
I'd like to gauge your interest in hardening curl's software supply
chain against compromise by following the nascent SLSA Framework:
Supply-chain Levels for Software Artifacts. The high-level proposal
can be found at https://github.com/slsa-framework/slsa/. The gist is
that the SLSA levels outline a path for increasing a software supply
chain's security is relative to two principles: auditability and
two-person control. Built software is traced back to source through
signed metadata called provenance, and policies restrict not just
_who_ can release software but also _what_ they can release. At higher
SLSA levels, we have higher confidence that the provenance is accurate
and cannot be forged.
For curl, this might look something like the following:
- Start generating and publishing provenance for each build step
(maketgz plus all of the different releases).
- Make curl's build steps reproducible. (Not strictly required, but it
makes everything easier. It also avoids you having to trust one
particular vendor.)
- Start performing automated builds on GitHub Actions or similar. (If
the build is reproducible, this can be in addition to whatever you do
now.)
- Enable security controls on GitHub, such as two-factor
authentication and two-party review.
I'd love to hear your thoughts and can write a more detailed proposal
if there is interest. I also welcome comments on SLSA itself.
Best,
Mark
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:
Hi curl maintainers,
I'd like to gauge your interest in hardening curl's software supply
chain against compromise by following the nascent SLSA Framework:
Supply-chain Levels for Software Artifacts. The high-level proposal
can be found at https://github.com/slsa-framework/slsa/. The gist is
that the SLSA levels outline a path for increasing a software supply
chain's security is relative to two principles: auditability and
two-person control. Built software is traced back to source through
signed metadata called provenance, and policies restrict not just
_who_ can release software but also _what_ they can release. At higher
SLSA levels, we have higher confidence that the provenance is accurate
and cannot be forged.
For curl, this might look something like the following:
- Start generating and publishing provenance for each build step
(maketgz plus all of the different releases).
- Make curl's build steps reproducible. (Not strictly required, but it
makes everything easier. It also avoids you having to trust one
particular vendor.)
- Start performing automated builds on GitHub Actions or similar. (If
the build is reproducible, this can be in addition to whatever you do
now.)
- Enable security controls on GitHub, such as two-factor
authentication and two-party review.
I'd love to hear your thoughts and can write a more detailed proposal
if there is interest. I also welcome comments on SLSA itself.
Best,
Mark
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: