slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[feature] SLSA Go builds tarball for builds

Open naveensrinivasan opened this issue 3 years ago • 3 comments

Describe the bug The SLSA builder used in https://github.com/ossf/scorecard/issues/2024 had stopped creating tarballs.

We need tarballs.

naveensrinivasan avatar Jul 07 '22 23:07 naveensrinivasan

I think they expect tarball because the previous scorecard releases used them, but if everything was binaries I think they'd be OK with that (not all projects use tarball or zip for their release, so their script should be able to adapt). Right?

Note: once https://github.com/slsa-framework/slsa-github-generator/issues/500, we could update scorecard release to use multiple config files and it wold work. It's just not very friendly to do that :)

laurentsimon avatar Jul 07 '22 23:07 laurentsimon

In general, zipped files would also be nice to have. We can check what GoReleaser supports.

The next question is deciding were the provenance should be: inside the zip/tarball for each binary, or should it cover the entire zip/tarball.. or both?

laurentsimon avatar Jul 08 '22 16:07 laurentsimon

Note: once #500, we could update scorecard release to use multiple config files and it wold work. It's just not very friendly to do that :)

That would work! Thanks

naveensrinivasan avatar Jul 08 '22 22:07 naveensrinivasan

@laurentsimon @naveensrinivasan is this issue still valid? can we close?

ianlewis avatar Jan 06 '23 07:01 ianlewis

This is good now

naveensrinivasan avatar Jan 06 '23 13:01 naveensrinivasan