core
core copied to clipboard
thoth-station
provanance checking and reporting based on SigStore
Is your feature request related to a problem? Please describe. tbd
High-level Goals With the current provenance checking method, we provide some valid to the user, to increase the potential value, we want to base provenance checks based on sigstore. This way we could report which parts of the software stack lack strong supply chain security and suggest actions to the developers #DevSecOps
Describe the solution you'd like tbd
Describe alternatives you've considered sha based provenance checks
Additional context n/a
Acceptance Criteria tbd
It might be a good idea to wait for upstream to establish signing artifacts before proceeding with this one - see PEP-480. Let's wait for upstream implementation for this and standards established to have proper implementation following Python packaging standards.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
It might be a good idea to wait for upstream to establish signing artifacts before proceeding with this one - see PEP-480. Let's wait for upstream implementation for this and standards established to have proper implementation following Python packaging standards.
Current status seems to be:
- The PEP-480 related discussion mentions Sigstore
- there is an ongoing discussion in https://github.com/axelsimon/peps/pull/1 to adapt PEP-480 to sigstore