envoyproxy/envoy

Signed releases

Open

#14,076 创建于 2020年11月18日

在 GitHub 查看
 (18 评论) (2 反应) (0 负责人)C++ (5,373 fork)batch import
area/buildarea/securityenhancementhelp wanted

仓库指标

Star
 (27,997 star)
PR 合并指标
 (平均合并 8天) (30 天内合并 378 个 PR)

描述

Running https://github.com/ossf/scorecard against https://github.com/envoyproxy/envoy gives generally a high score, but we are missing signed releases/tags. The idea is to attach a GPG ASCII signature to the release/tag artifacts.

Arguably the benefit is marginal if we trust GitHub security (how many Envoy consumers will check this signature?), but this seems a reasonable defense-in-depth best practice to follow.

贡献者指南