ppkarwasz commented on PR #4095: URL: https://github.com/apache/logging-log4j2/pull/4095#issuecomment-4258508759
After successfully enabling rulesets in `logging-parent`, I extended this PR to cover the `2.x` branch in cccea50. One small catch: until apache/infrastructure-asfyaml#93 is merged, these rulesets cannot be modified. @puerco: are these controls sufficient to classify Log4j as **SLSA Source Level 4** compliant? As you know, we enforce quite a "Byzantine bureaucracy" here and would love something to show for it: [](https://slsa.dev) ...alongside the in-toto attestations we will produce. A couple of related questions: - Should we also protect `release/*` branches to demonstrate that every commit up to a release has been reviewed? The `rel/*` tags sit on short-lived side branches that originate from the two protected branches (`2.x` and `main`). - For tags, I opened #4096 to discuss cleaning up some historical inconsistencies before locking down `rel/*` tags. > [!NOTE] > For bystanders wondering: SLSA would not have prevented Log4Shell. It only protects against **malicious** actors, not honest mistakes that pass the full review process. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
