cubefs icon indicating copy to clipboard operation
cubefs copied to clipboard
verified publisher icon cubefs

[Enhancement]: Add a framework of SLSA with a focus on mitigating supply-chain risk

Open leonrayang opened this issue 2 years ago • 1 comments

Contact Details

No response

Is there an existing issue for this?

  • [X] I have searched all the existing issues

What would you like to be added?

SLSA is aframework for assessing the security practices of a given software project with a focus on mitigating supply-chain risk. SLSA emphasises tamper resistance of artifacts as well asephemerality of the build and release cycle. SLSA mitigates a series of attack vectors in the soft ware development life cycle (SDLC), all ofwhich have seen real-world examples of successful attacks against open-source and proprietary software.

Why is this needed?

No response

Anything else?

No response

leonrayang avatar Dec 15 '23 01:12 leonrayang

The compilation environment of SLSA on GitHub is relatively independent, while some binaries of CubeFS require more additional C-like libraries, so they need to be compiled in the customized Docker image of CubeFS. The method of running a custom Docker image in the GitHub SLSA action environment is currently under research. For more information on the progress of each module: #2811. PR to master see(#2813), to release 3.3.1 see(#2857)

sejust avatar Dec 15 '23 02:12 sejust