transparent-release
transparent-release copied to clipboard
project-oak
Making transparency normal!
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.11.0 to 0.17.0. Commits 9d2ee97 ssh: implement strict KEX protocol changes 4e5a261 ssh: close net.Conn on all NewServerConn errors 152cdb1 x509roots/fallback: update bundle fdfe1f8 ssh: defer channel...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.50.1 to 1.56.3. Release notes Sourced from google.golang.org/grpc's releases. Release 1.56.3 Security server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487) In addition to this...
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. Commits b225e7c http2: limit maximum handler goroutines to MaxConcurrentStreams 88194ad go.mod: update golang.org/x dependencies 2b60a61 quic: fix several bugs in flow control accounting 73d82ef...
The added doc provides detailed definitions for the Transparent Release concepts and a generalised description of the process.
This makes it clear whether a verification was run and if so, what was the details of the verification.
Currently, in the verifier, the endorser, and `ProvenanceIR`, we assign different meanings to a nil string and an empty ("") string. This is against some best practices: > https://go.dev/doc/effective_go#allocation_new discusses...
Some style guidelines that we currently don't follow strictly: - Drop `Get` in methods (see [Getters](http://go/go-style/decisions#getters)) - Short receiver names (See [Receiver names](http://go/go-style/decisions#receiver-names))
A conventional pattern in tests is to use the [cmp package](https://pkg.go.dev/github.com/google/go-cmp/cmp) and the following pattern: ``` if diff := cmp.Diff(got, want); diff != "" { t.Errorf("") ``` Ideally this should...
We can get inspiration from the check in [verifySignedAttestation](https://github.com/slsa-framework/slsa-verifier/blob/82cb42fb2084c5b9b2d3707d46e1641ccaaab267/verifiers/internal/gha/rekor.go#L310) in SLSA. However, we do want to avoid fetching information from Rekor, if possible.
Split the FuzzBinder functions that handle the perTarget and perProject cases at the same time into smaller functions.
