You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I've bumped into a case of a repository that have published some signed releases years ago, but all their last 10 releases are not signed. In this case, Scorecard is still granting a 8/10 score on Signed-Releases
Reproduction steps
Steps to reproduce the behavior:
Run the following command to run Scorecard on project github.com/AcademySoftwareFoundation/openexr
Note that the project scores 8/10 on Signed releases because of the signed artifacts of he releases v2.4.2, v2.5.2, v2.5.3 , but the current version of the project is v3.2.0, and there were several different releases between them.
Expected behavior
The score 8/10 is given to any project that signs their releases but don't emit a provenance. However, this check should consider mostly the most recents releases, not only old ones.
The text was updated successfully, but these errors were encountered:
The last release with any signing artifacts was v2.5.3, since then the releases are source code-only (only tar/zip files, which GitHub creates automatically), so we don't require them to be signed, since we implicitly trust GitHub/GitLab to zip correctly. Opened a PR to clarify this in our docs.
Describe the bug
I've bumped into a case of a repository that have published some signed releases years ago, but all their last 10 releases are not signed. In this case, Scorecard is still granting a 8/10 score on Signed-Releases
Reproduction steps
Steps to reproduce the behavior:
Expected behavior
The score 8/10 is given to any project that signs their releases but don't emit a provenance. However, this check should consider mostly the most recents releases, not only old ones.
The text was updated successfully, but these errors were encountered: