Verifying Artifacts

1 Users


4 Highlights

0 Notes


Top Highlights

  • SLSA uses provenance to indicate whether an artifact is authentic or not, but provenance doesn’t do anything unless somebody inspects it.

  • Package ecosystems verify an artifact’s provenance against a set of expectations.

  • Example threats in this category include building from an unofficial fork or abusing a build parameter to modify the build. Usually expectations identify the canonical source repository (which is the main external parameter)

  • A package version is considered to meet a given SLSA level if and only if the package ecosystem has verified its provenance against the package’s expectations.

Ready to highlight and find good content?

Glasp is a social web highlighter that people can highlight and organize quotes and thoughts from the web, and access other like-minded people’s learning.