envoyproxy/envoy

Signed releases

Open

#14.076 geöffnet am 18. Nov. 2020

Auf GitHub ansehen
 (18 Kommentare) (2 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/buildarea/securityenhancementhelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

Running https://github.com/ossf/scorecard against https://github.com/envoyproxy/envoy gives generally a high score, but we are missing signed releases/tags. The idea is to attach a GPG ASCII signature to the release/tag artifacts.

Arguably the benefit is marginal if we trust GitHub security (how many Envoy consumers will check this signature?), but this seems a reasonable defense-in-depth best practice to follow.

Contributor Guide