Conversation
This PR was moved from apache/commons-build-plugin#417 It adds a goal to generate a [SLSA](https://slsa.dev/) build attestation and attaches it to the build as a file with the `.intoto.json` extension. The attestation records the following information about the build environment: - The Java version used (vendor, version string) - The Maven version used - The `gitTree` hash of the unpacked Java distribution - The `gitTree` hash of the unpacked Maven distribution
|
You can find the documentation of what elements are contained in the attestations in this file (included in the PR): https://github.com/apache/commons-release-plugin/blob/feat/slsa/src/site/markdown/slsa/v0.1.0.md I have some doubts regarding, which dependencies of the project build should be included in the attestation:
|
|
What about the JDK or OS? |
|
Information about the JDK is already present. I don't know if we need information about the OS: that information is usually partially included in the JDK version strings. |
garydgregory
left a comment
garydgregory
left a comment
There was a problem hiding this comment.
There is no need for an additional level of "internal" package naming IMO since the whole component is "internal" to our release process.
Artifacts are signed using the Maven GPG Plugin and the results are wrapped in the DSSE envelope.
|
In 16f776f I added support for DSSE envelope signing, which leverages the functionality of the GPG Maven plugin to sign the attestation with GPG and wrap both the payload and signature in a single file. A lot of it is vibe-coded, mostly reviewed, but it needs a thorough review, especially on the documentation side. If this helps, I could split this PR into three parts:
What do you think? |
|
I don't want to review vibe coded output until you review it line-by-line and prune/validate any junk out of it. When you say it's been proofed, I'll take a look. |
|
I have reviewed the generated parts, fixed Javadoc comments and added additional tests. The code is the first thing I look at and verify line by line. I must admit I don't look too much at Javadoc, especially since this project requires every method (even |
|
If you don't review something, delete it then. Otherwise, you are effectively asking someone else to do it for you 😉 |
|
That is what I did with overly complex Javadoc comments. |
|
As I mentioned before, this PR might be hard to check in one piece. What do you think about splitting it into pieces and discussing each piece separately? |
|
Let me take a look in the morning... |
| <module name="ImportOrder"> | ||
| <property name="option" value="top"/> | ||
| <property name="groups" value="java,javax,org"/> | ||
| <property name="groups" value="java,javax"/> |
There was a problem hiding this comment.
This change should not be required.
There was a problem hiding this comment.
IIRC this is inconsistent with other Commons projects, where com.* and org.* imports are in the same group. Is there any reason to group them separately?
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
Hi @garydgregory, I corrected some minor defects, mostly in documentation, but with two relevant changes:
Since this PR is huge, what do you think about pushing the SLSA models to |
|
I pushed the SLSA models to This should reduce the overhead of reviewing this PR. |
I added comments. A bunch of new public code with zero tests? Ahem... please fix that. |
Those classes are DTOs. The surface is getters, setters, and Jackson annotations, and this PR already exercises them indirectly through the code that uses them, so I don't think per-field getter/setter tests would add much. I looked into golden-file tests against canonical examples, but neither in-toto nor SLSA publishes a conformance fixture set, and the parts of the schema that actually vary in practice ( |
|
I've added tests that specifically exercise the serialization models with With those in place, I think coverage on this PR is in good shape:
Let me know if there's a specific area you'd like me to push further. |
|
Hi @ppkarwasz What is the relationship b/w this PR and the one in Commons Parent? Is one required by the other? |
|
The PRs are independent and follow separate SLSA tracks:
Deployed together they are stronger: you can verify that a binary comes from a particular commit and the commit was submitted to a protected branch. In recent supply-chain attacks, one of those conditions are not satisfied: for example the build is original, but the tagged commit comes from a fork, not the original repository. |
This PR was moved from apache/commons-build-plugin#417
It adds a goal to generate a SLSA build attestation and attaches it to the build as a file with the
intoto.jsonextension.The attestation records the following information about the build environment:
gitTreehash of the unpacked Java distributiongitTreehash of the unpacked Maven distribution