Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split BR-03 into development, release, and consumption requirements. #152

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Split BR-03 into development, release, and consumption requirements. #152

wants to merge 3 commits into from

Conversation

evankanderson
Copy link
Contributor

BR-03 requires:

Any websites, API responses or other services involved in the project development and release MUST be delivered using SSH, HTTPS or other encrypted channels

Which, on the face of it, would require that all developers ensure that any email sent relating to the project and project decisions is delivered via SMTPS. This is probably not intended.

I suspect this criteria will be more clear if we separate it into three concerns:

  • Secure access to source code (and use of secure connections during code review) during development.

    This seems well-addressed by git forges such as GitHub, GitLab et al.

  • Securing end-user access to released assets, including documentation. This would align with the best practices badge on sites_https and delivery_mitm.

    This seems addressed by a combination of checking the homepage is HTTPS and using a standard release mechanism (e.g. GitHub releases, language package managers, OCI repositories)

  • Securing external content during the release pipeline (e.g. a SLSA attack D on an insecure download)

    This seems trickier to assess, though we could make a stab at checking Makefiles, shell scripts, and GitHub Actions for http:// URLs. This will obviously be leaky.

funnelfiasco
funnelfiasco reviewed Jan 17, 2025
View reviewed changes
Copy link
Contributor

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'm good with this, other than the question I asked about -03.

baseline/OSPS-BR.yaml Outdated Show resolved Hide resolved
baseline/OSPS-BR.yaml Outdated Show resolved Hide resolved
evankanderson and others added 2 commits January 17, 2025 16:13
@evankanderson @funnelfiasco
Update baseline/OSPS-BR.yaml
a3ef16b 
Co-authored-by: Ben Cotton <[email protected]>
Signed-off-by: Evan Anderson <[email protected]>
@evankanderson @funnelfiasco
Update baseline/OSPS-BR.yaml
cef79de 
Co-authored-by: Ben Cotton <[email protected]>
Signed-off-by: Evan Anderson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@funnelfiasco funnelfiasco funnelfiasco left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@evankanderson @funnelfiasco