Fridolín Pokorný comments

Results 197 comments of


                                            Fridolín Pokorný

Solver should report exact package hash that was used to install a package

Nice research. Sadly, these hashes will not be part of the artifacts as the artifact hash is computed based on the artifact content, which makes it a chicken-egg problem. As...

Security confidence addition to the images for more clear traceability and security

Looking into this issue, it might be better to have security information on the backend side linked to the container image SHA (and let clients ask for it). If you...

Data driven decisions based on data from PyPI

/remove-lifecycle stale

[Spike][8pt]Perform dynamic source code analysis to give more security related guidenance

/remove-lifecycle stale

[Spike][8pt]Perform dynamic source code analysis to give more security related guidenance

Part of the planned intern project.

[Spike][8pt]Perform dynamic source code analysis to give more security related guidenance

BTW it might be also good to check if this data source would be suitable for solver rules to automatically block malicious packages based on OpenSSF's scans.

provanance checking and reporting based on SigStore

It might be a good idea to wait for upstream to establish signing artifacts before proceeding with this one - see [PEP-480](https://www.python.org/dev/peps/pep-0480/). Let's wait for upstream implementation for this and...

Audit containerized environments

Related: https://github.com/thoth-station/core/issues/366

[Epic] Automated Data Science bootstrap from curated content sets

We have discussed an approach that would reuse logic for template projects. Let's sync if we want to develop and maintain this type of logic in Kebechet.

Provide SLA and license for the cloud based resolver community

CC @codificat @goern do we want to start work on this one? It might take some time to have this available.