-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: checks Signed-Releases and Packaging returning ?
when the repo actually has releases on GitHub
#2763
Comments
|
I've been thinking about this. Could it be that tarballs generated by GitHub are somehow trusted and ignored because of that? https://wiki.debian.org/Creating%20signed%20GitHub%20releases (which scorecard refers to) expects people to verify them but at least systemd tried that and decided not to go forward with that systemd/systemd#2926. At this point distros caring about those things use signed git tags but realistically most distributions take systemd from its stable repository so it doesn't matter much what this check says because it isn't applicable to how systemd is normally consumed. |
More generally since they are generated by GitHub maybe GitHub should sign them itself (ideally once it verifies that tags those tarballs are based on are properly signed). It could also generate provenance :-) |
Related to #688 |
Glancing at the Scorecard code, it doesn't seem to disconsider the automatically-generated assets created for a release. It may be that the API they use doesn't list such assets. That's not unreasonable (though understandably unexpected), since those assets don't really exist. They're actually generated on-the-fly via Git every time they're requested. This actually lead to a huge breakage in early 2023 when GitHub upgraded their Git version, which had itself upgraded the library it uses to generate the tarballs. |
I think it's a GitHub bug. It should make sure that stuff it automatically generates and distributes via its own platform can't be tampered with and also let consumers verify that. That's the essence of the supply chain security :-) |
Related, see discussion here: https://github.com/ossf/scorecard/pull/2186/files#r951620855 |
I agree that scorecard should say "inconclusive" in this particular case but since those tarballs are automatically injected into releases they still should be dealt with by GitHub. Or it shouldn't generate them at all and let consumers find things with signatures instead of blindly trusting GitHub with its tarballs with unknown provenance. |
Describe the bug
I'm running Scorecard v4.10.2 over projects that have releases on GitHub, but the checks Signed-Releases and Packaging return
?
as Score results. As you can see on the image below, on the Packaging result I get "no published package detected" as reason, and for Signed-Releases I get "no releases found".Reproduction steps
Steps to reproduce the behavior:
You can evaluate directly those checks with
scorecard --repo=tensorflow/tensorflow --checks=Packaging,Signed-Releases
Expected behavior
The evaluation should consider the releases on GitHub and give a punctuation accordingly.
The text was updated successfully, but these errors were encountered: