Santiago Torres-Arias wrote on Tue, 06 Apr 2021 18:17 +00:00: > On Tue, Apr 06, 2021 at 05:02:58PM +0000, Daniel Shahaf wrote: > > > Do notice that verification is not part of the user story yet (i.e., > > > anybody can claim to own any artifact). > > > > So, if I understand correctly, sigstore doesn't prove to third parties > > that Alice had signed foo; rather, sigstore simply states "We have > > witnessed Alice sign foo". Alice doesn't actually need to be involved > > for sigstore to be able to say that. Thus, I think the technical > > details boil down to """ > > Well, yes in a sense sigstore allows you to get a key based on oidc > (similar to let's encrypt), or allows you to stick your usual signatures > in the log (i.e., the witnessing element you're mentioning). Let me try > to rephrase on the text below and see if I can help with that. > > > > > diff --git a/_reports/2021-03.md b/_reports/2021-03.md > > index 080f089..52dd630 100644 > > --- a/_reports/2021-03.md > > +++ b/_reports/2021-03.md > > @@ -18,8 +18,6 @@ In our monthly reports, we try to outline the most > > important things that have ha > > ⋮ > > I made some minor edits, that I think may help with clarity.
Thanks! Where are those edits? I don't see them in reproducible-website.git or in your reply. > I wasn't trying to be incredibly pedantic about the phrasing, but > rather to be upfront about sigstore not having a trust policy (yet). > Sigstore is actively working with communities (such as this one) to > better identify what policies make sense (e.g., to allow to represent > and enforce a build being reproducible). > > > Given that you're involved the effort, and perhaps aware of plans to > > address this in the future, perhaps you could propose better text for > > the blog post? > > Definitely, I should've engaged more with the early LF press-releases (I > try to stick to systems building, research and education). I supplied a > quote as a Purdue University professor, but that's as far as my > engagement was with the press push. > > My earlier email is intended to help disambiguate. I agree that the > blogpost/announcement is quite content-free when read through with a > fine comb. By "blog post" I actually intended to refer to r-b's monthly report, since that one is due to be published tomorrow, but clarifying sigstore's docs is of course also a good thing ☺ Cheers, Daniel