envoyproxy/envoy

Signed releases

Open

#14.076 aberto em 18 de nov. de 2020

Ver no GitHub
 (18 comments) (2 reactions) (0 assignees)C++ (5.373 forks)batch import
area/buildarea/securityenhancementhelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

Running https://github.com/ossf/scorecard against https://github.com/envoyproxy/envoy gives generally a high score, but we are missing signed releases/tags. The idea is to attach a GPG ASCII signature to the release/tag artifacts.

Arguably the benefit is marginal if we trust GitHub security (how many Envoy consumers will check this signature?), but this seems a reasonable defense-in-depth best practice to follow.

Guia do colaborador