You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When releasing a new version, a zip file is constructed containing the release and a "GitHub Release" is created for a repo (for example, see the v1.0 release).
Unfortunately, anyone with write access to the caliptra-sw or caliptra-rtl repositories can modify the released artifacts, without any additional review or audit logging. You can imagine a scenario where an insider modifies the release to add a backdoor, a vendor downloads the release to integrate in their project, and later the insider switches the binary back to the original version to hide the evidence.
Potential solutions:
Delete all releases and require vendors to checkout the repo.
Publish artifacts into a "caliptra-releases" git repo.
When releasing a new version, a zip file is constructed containing the release and a "GitHub Release" is created for a repo (for example, see the v1.0 release).
Unfortunately, anyone with write access to the caliptra-sw or caliptra-rtl repositories can modify the released artifacts, without any additional review or audit logging. You can imagine a scenario where an insider modifies the release to add a backdoor, a vendor downloads the release to integrate in their project, and later the insider switches the binary back to the original version to hide the evidence.
Potential solutions:
The text was updated successfully, but these errors were encountered: