20/66: icse-2022: Mention sigstore.

Wed, 29 Jun 2022 08:32:36 -0700 

civodul pushed a commit to branch master
in repository maintenance.

commit b7fce8ece1d82c97ffb41f79a3550340f95ae65b
Author: Ludovic Courtès <[email protected]>
AuthorDate: Mon Aug 30 16:02:19 2021 +0200

    icse-2022: Mention sigstore.
---
 doc/icse-2022/security.sbib    |  6 ++++++
 doc/icse-2022/supply-chain.skb | 14 +++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/doc/icse-2022/security.sbib b/doc/icse-2022/security.sbib
index 8ef6c95..cef3c99 100644
--- a/doc/icse-2022/security.sbib
+++ b/doc/icse-2022/security.sbib
@@ -198,6 +198,12 @@ Thayer")
   (year "2010")
   (url "https://www.fsf.org/blogs/sysadmin/savannah-and-www.gnu.org-downtime";))
 
+(misc sigstore2021:web
+  (author "The Linux Foundation")
+  (title "sigstore, a new standard for signing, verifying and protecting 
software")
+  (year "2021")
+  (url "https://www.sigstore.dev/";))
+
 #|
 (defun skr-from-bibtex ()
   "Vaguely convert the BibTeX snippets after POINT to SBibTeX."
diff --git a/doc/icse-2022/supply-chain.skb b/doc/icse-2022/supply-chain.skb
index d4625b6..4dec83f 100644
--- a/doc/icse-2022/supply-chain.skb
+++ b/doc/icse-2022/supply-chain.skb
@@ -968,13 +968,13 @@ containing “build recipe”.  To date, it appears that ,(tt 
[opam update])
 itself does not authenticate repositories though; it is up to users and
 developers to run Conex.])
       
-      (p [The in-toto framework can be thought of as a generalization of
-TUF; it aims at ensuring the integrity of complete software supply
-chains, taking into accounts the different steps that comprise software
-supply chains in widespread use such as Debian’s ,(ref :bib
-'torresarias2019:intoto).  In particular, it focuses on ,(emph [artifact
-flow integrity])—that artifacts created by a step cannot be altered
-before the next step.])
+      (p [The in-toto framework ,(ref :bib 'torresarias2019:intoto) and
+similarly sigstore ,(ref :bib 'sigstore2021:web) can be thought of as a
+generalization of TUF; it aims at ensuring the integrity of complete
+software supply chains, taking into accounts the different steps that
+comprise software supply chains in widespread use such as Debian’s.  In
+particular, it focuses on ,(emph [artifact flow integrity])—that
+artifacts created by a step cannot be altered before the next step.])
 
       (p [Thanks the functional deployment model, Guix has end-to-end
 control over artifact flow, from source code to binaries delivered to

Reply via email to