top | item 45314413 (no title) Harmon758 | 5 months ago Immutable releases are in public preview and hopefully will make it easier to do the right thing.https://github.blog/changelog/2025-08-26-releases-now-suppor... discuss order hn newest blibble|5 months ago I don't see how that solves this problem as long as the attacker can delete and recreate a repositorysigstore's main design goal seems to be to increase the lock-in of of "trusted" providers(the idea that Microsoft should be trusted for anything requiring any level of security is entirely ludicrous) frenchtoast8|5 months ago It’s a good first step, but a significant number of GitHub Actions pull a Docker image from a repository such as Docker Hub. In those cases, the GitHub Action being immutable wouldn’t prevent the downstream Docker image from being mutated.
blibble|5 months ago I don't see how that solves this problem as long as the attacker can delete and recreate a repositorysigstore's main design goal seems to be to increase the lock-in of of "trusted" providers(the idea that Microsoft should be trusted for anything requiring any level of security is entirely ludicrous)
frenchtoast8|5 months ago It’s a good first step, but a significant number of GitHub Actions pull a Docker image from a repository such as Docker Hub. In those cases, the GitHub Action being immutable wouldn’t prevent the downstream Docker image from being mutated.
blibble|5 months ago
sigstore's main design goal seems to be to increase the lock-in of of "trusted" providers
(the idea that Microsoft should be trusted for anything requiring any level of security is entirely ludicrous)
frenchtoast8|5 months ago