envoyproxy/envoy

Signed releases

Open

#14.076 aperta il 18 nov 2020

Vedi su GitHub
 (18 commenti) (2 reazioni) (0 assegnatari)C++ (5373 fork)batch import
area/buildarea/securityenhancementhelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

Running https://github.com/ossf/scorecard against https://github.com/envoyproxy/envoy gives generally a high score, but we are missing signed releases/tags. The idea is to attach a GPG ASCII signature to the release/tag artifacts.

Arguably the benefit is marginal if we trust GitHub security (how many Envoy consumers will check this signature?), but this seems a reasonable defense-in-depth best practice to follow.

Guida contributor