ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4435796045
The PRs are independent and follow separate SLSA tracks: - This PR is necessary for the [SLSA Build Track](https://slsa.dev/spec/v1.2/build-track-basics) and generates attestations to explain how binaries are built. - apache/commons-parent#706 is necessary for the [SLSA Source Track](https://slsa.dev/spec/v1.2/source-requirements) and generates attestation to explain how commits come into existence. Deployed together they are stronger: you can verify that a binary comes from a particular commit **and** the commit was submitted to a protected branch. In recent supply-chain attacks, one of those conditions are not satisfied: for example the build is original, but the tagged commit comes from a fork, not the original repository. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
