-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: verify sourceURI for npm packages #521
feat: verify sourceURI for npm packages #521
Conversation
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
@@ -123,13 +125,17 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string, v | |||
return nil | |||
} | |||
|
|||
func sourceFromURI(uri string) (string, error) { | |||
// NOTE: `allowNoRef` is to allow for verification of npm packages |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we set a tracking issue to remove this after GA?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good idea. I was hesitant because I don't know that we'll be able to remove it right away, since some provenance will have been generated with this code. Unless all the provenance generated before GA is considered "no prod ready" and the npm teams removes it. Created #524
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can maybe only allow it for provenance created before a certain date? or something like that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I wonder about the #524, and we can ask them when they go GA - i expect that is when they will stabilize
Signed-off-by: laurentsimon <[email protected]>
@@ -123,13 +125,17 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string, v | |||
return nil | |||
} | |||
|
|||
func sourceFromURI(uri string) (string, error) { | |||
// NOTE: `allowNoRef` is to allow for verification of npm packages |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can maybe only allow it for provenance created before a certain date? or something like that?
@@ -123,13 +125,17 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string, v | |||
return nil | |||
} | |||
|
|||
func sourceFromURI(uri string) (string, error) { | |||
// NOTE: `allowNoRef` is to allow for verification of npm packages |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I wonder about the #524, and we can ask them when they go GA - i expect that is when they will stabilize
Co-authored-by: Ian Lewis <[email protected]> Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
closes #492