envoyproxy/envoy

Signed releases

Open

#14 076 ouverte le 18 nov. 2020

Voir sur GitHub
 (18 commentaires) (2 réactions) (0 assignés)C++ (5 373 forks)batch import
area/buildarea/securityenhancementhelp wanted

Métriques du dépôt

Stars
 (27 997 stars)
Métriques de merge PR
 (Merge moyen 8j) (378 PRs mergées en 30 j)

Description

Running https://github.com/ossf/scorecard against https://github.com/envoyproxy/envoy gives generally a high score, but we are missing signed releases/tags. The idea is to attach a GPG ASCII signature to the release/tag artifacts.

Arguably the benefit is marginal if we trust GitHub security (how many Envoy consumers will check this signature?), but this seems a reasonable defense-in-depth best practice to follow.

Guide contributeur