You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An important part of rebuilding open source packages is to alert consumers when a package is failing to rebuild (potentially due to malicious code in the public version of the package). Currently we do not have the resources attempt rebuilds on, or guarantee and SLO for every package in every ecosystem we have implemented. Which packages can consumers depend on OSS Rebuild to consistently provide signals for?
Supported Packages
We should define the concept of "supported" packages. These would be packages for which OSS Rebuild attempts to rebuild new versions as they're published. If the rebuild succeeds, then we will publish an rebuild attestation within some SLO. TBD how we communicate failed packages. As a first pass, the absence of a rebuild attestation inside the SLO can be considered a signal that it failed. In the future, we can define some more descriptive and explicit signal describing rebuild failures, probably utilizing the documented diff defined in #228. I opened #247 to track that future effort defining the format.
Motivation
An important part of rebuilding open source packages is to alert consumers when a package is failing to rebuild (potentially due to malicious code in the public version of the package). Currently we do not have the resources attempt rebuilds on, or guarantee and SLO for every package in every ecosystem we have implemented. Which packages can consumers depend on OSS Rebuild to consistently provide signals for?
Supported Packages
We should define the concept of "supported" packages. These would be packages for which OSS Rebuild attempts to rebuild new versions as they're published. If the rebuild succeeds, then we will publish an rebuild attestation within some SLO. TBD how we communicate failed packages. As a first pass, the absence of a rebuild attestation inside the SLO can be considered a signal that it failed. In the future, we can define some more descriptive and explicit signal describing rebuild failures, probably utilizing the documented diff defined in #228. I opened #247 to track that future effort defining the format.
Open questions
The text was updated successfully, but these errors were encountered: