Jacques Chester

It might be worth discussing the binary build question with folks from ActiveState, who already specialise in this kind of thing.

I agree that some kind of reviewing or four-eyes rule should be in effect at lower SLSA levels. (Xref #95, which is tangentially related.)

As an aspiration, yes, but the value of signatures varies a lot according to the implementation. I'm not sure how deep down the rabbit hole we'd need to go (eg,...

> However, is the list of caveats around "where it makes sense" to large to warrant the effort? The unhappy answer is: it depends. The water level for signatures is...

> For me, the thing I like about signed artifacts is around figuring out what identities performed what. I see signatures as doing two things: providing authenticity and proving integrity....

I think we'd need to solve the problem of misleading entries (which I hadn't considered, shame on me) before we could roll this out. Another issue to consider is that...

> Instead these artifacts should be signed via an OIDC identity token generated by some authorization service for the index, where the identity corresponds to an identity on the index...

This thread is giving me a lot of food for thought. One thing I'm confident in, though -- I'm wary of having multiple flavours of IdPs: 1st party (run your...

To be clear, I'm using 1st/2nd/3rd party to refer to who provides an assertion of identity as an input to signing, not to who signs. I still see the signing...

> This sounds like the best of both world since it can be managed outside of the rubygems.org and indeed could be shared across multiple package indexes within one service....