rules-template icon indicating copy to clipboard operation
rules-template copied to clipboard

Published 20 hours ago verified publisher icon bazel-contrib

Verify that our release process meets Google security standards

Open alexeagle opened this issue 2 years ago • 1 comments

In https://github.com/bazelbuild/rules_pkg/issues/716#issuecomment-1742206745 there's a suggestion that rules need complexity in their release process in order to make them secure.

I believe we have already followed excellent security practices in the way releases are created here. By only allowing a developer with write access to push a tag, there's no way to create a release with contents that aren't reproducible from the sources.

I'd be very interested to know of any vulnerabilities with our approach, as there are now dozens of rulesets based on this template.

alexeagle avatar Oct 05 '23 14:10 alexeagle

Note, I met a Googler at PackagingCon who works in OSS security and got the sense that our approach here is totally fine. I wish I had remembered this issue at the time and gotten that person's sign-off.

alexeagle avatar Jan 26 '24 17:01 alexeagle