ppkarwasz commented on PR #706: URL: https://github.com/apache/commons-parent/pull/706#issuecomment-4460856794
> > The source track shows relationships between source commits, > > Is this the same as the commit history, the git log? Commit A's parent is B, B's parent is C, and so on? All the way to the first commit in the repo? Yes, except each commit is signed by Sigstore using an ephemeral certificate, so you can verify the commit date too. Normally in Git you can use any author, committer and commit date. Additional properties are also registered, like the existence of technical controls against force-push and deletion (see [source-tool Controls](https://github.com/slsa-framework/source-tool/blob/main/docs/DESIGN.md#controls) for properties followed by `source-tool`. > This is the same as above, but per JAR, POM, all the files we put on Maven Central? In our case, these would be the same for each file, right? Yes, the attestation contains both the SHA1 of the commit and checksums of the Maven artifacts and you bind them together, basically stating “I built these artifacts from this commit”. > This PR causes a build to fail if the above happens? Like if a RM tries to release from his fork instead of from the repo? > > Let's say a bad guy breaks into Apache's dist server and replaces a JAR file, couldn't they also replace everything related to that JAR? This PR does not verify the attestation, it just produces them. I will add other workflows that can verify attestation in the dependencies of a project: e.g. Log4j could verify that the Commons Compress artifact was signed by you and was built from a commit in the `commons-compress` repo. There is no single way to verify an artifact: you need to know the release policy of a project and verify if they were met. If you release from a local `release` branch and then you push it to GitHub, consumers can verify that: - The Compress JAR came from this repo and was signed by you, - That the commit used by the release was pushed to this repo. **TL;DR**: we set the expectations of how the project works and consumers verify that our own rules were followed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
