Assess signing/provenance needs of the Rails Kubernetes Operator #36
Comments
kingdonb
changed the title
|
This may have already been implemented by #32 – I honestly don't know how to decode the SBOM information, well enough to determine if it identifies a gem that is missing a license, (or what specifically this is supposed to have told in attestations.) This is an assessment because my understanding of this topic is currently very thin. I know there is an SBOM and I believe that's different than the provenance attestations. I'm not sure how they're related, or which one certifies the other, or even if that's how it works. I need some experts to weigh in, maybe the Flux Bug Scrub team can help out next time we meet 😁🔥 |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Repeat of #35, but for the Ruby on Rails app stack that runs the
kubernetes-operatorgem.Whatever we're calling an implementation of provenance, obviously fails the test if there isn't some alert presented about the dependency on
kubernetes-operatorgem that has no license or provenance(You can refer to this issue to understand why that is the case):
https://gitlab.com/tobiaskuntzsch/kubernetes-operator/-/issues/1
The text was updated successfully, but these errors were encountered: