Sent from my iPad
> On 17 Feb 2023, at 07:10, Fabian Keil via curl-library > <curl-library@lists.haxx.se> wrote: > > Diogo Sant'Anna via curl-library <curl-library@lists.haxx.se> wrote on > 2023-02-16 at 16:33 >> Moving your release process (i.e., the packaging of the tarball) to an >> automated script in GitHub Actions (GHA). > > Are you suggesting that creating the release on (IMHO) untrustworthy > and proprietary GitHub infrastructure is more secure than using a > system Daniel controls? > Should the OpenPGP key that is used to sign the releases copied > to GitHub infrastructure as well? > In my opinion this would be a step in the wrong direction. As someone whose has spent a significantly proportion of the last two years trying to secure against supply chain attacks in Java land I would concur that this would be a huge step back. A lot of built artifacts come with a signature assigned to a robot on insecure infrastructure, why should I trust either the artifact or the signing key (particularly since the owners often don’t publish them anywhere and change them on a whim)? As it stands if we needed to include a curl shipped artifact in our bundle I could have it set up to be trusted in 5 minutes. If this change happened I would be struggling to proceed and instead would build from source -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
