←back to thread

218 points miketheman | 1 comments | | HN request time: 0.207s | source
Show context
ris ◴[] No.42141666[source]
I'm not really convinced of the value of such attestations until a second party can reproduce the build themselves on their own hardware.

Putting aside the fact that the mechanisms underpinning Github Actions are a mystery black box, the vast vast vast majority of github workflows are not built in a reproducible way - it's not even something that's encouraged by Github Actions' architecture, which emphasises Actions' container images that are little more than packaged installer scripts that go and download dependencies from random parts of the internet at runtime. An "attestation" makes no guarantee that one of these randomly fetched dependencies hasn't been usurped.

This is not to go into the poor security record of Github Actions' permissions model, which has brought us all a number of "oh shit" moments.

replies(1): >>42147338 #
1. mhils ◴[] No.42147338[source]
Fully reproducible builds would of course be nicer from a security standpoint, but attestations have vastly lower implementation costs and scale much better while still raising the bar meaningfully.