security-profiles-operator icon indicating copy to clipboard operation
security-profiles-operator copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

security: Authenticate build tooling

Open stephen-fox opened this issue 2 years ago • 2 comments

What would you like to be added:

Currently, the Makefile automation downloads tools like kustomize, kubernetes-split-yaml, and operator-sdk without authenticating them. In other words, their hashes are not checked, or they are not built from source using go install (assuming they are written in Go). The latter method ensures the source code and its dependencies match what is in Google's sum database. This is potentially more convenient because it eliminates the need to carry around hashes for platform-specific executables. For more information about Go dependency authentication, refer to: https://go.dev/ref/mod#authenticating

Why is this needed:

Supply chain security.

User story covered

I am not really sure what to put here... it looks like all the user stories desire some level of security. I am open to guidance about editing this to something else. This issue could also be changed to a bug - I was not sure what to select.

stephen-fox avatar Jul 21 '22 19:07 stephen-fox

@stephen-fox great points and I totally agree that we should verify their integrity! Do you mind creating a PR for that?

saschagrunert avatar Jul 22 '22 06:07 saschagrunert

@stephen-fox we are doing this for other dependencies, you might wanna look at this if you want ideas https://github.com/kubernetes-sigs/security-profiles-operator/pull/1040

Thanks for bringing this up! This will be very useful for us to increase our security stance.

JAORMX avatar Jul 22 '22 07:07 JAORMX

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Oct 20 '22 07:10 k8s-triage-robot

/remove-lifecycle stale

JAORMX avatar Oct 20 '22 07:10 JAORMX

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 18 '23 08:01 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Feb 17 '23 09:02 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Mar 19 '23 10:03 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Mar 19 '23 10:03 k8s-ci-robot