Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: checks Signed-Releases and Packaging returning ? when the repo actually has releases on GitHub #2763

Open
diogoteles08 opened this issue Mar 16, 2023 · 8 comments
Labels
check/Signed-Releases kind/bug Something isn't working

Comments

@diogoteles08
Copy link
Contributor

Describe the bug
I'm running Scorecard v4.10.2 over projects that have releases on GitHub, but the checks Signed-Releases and Packaging return ? as Score results. As you can see on the image below, on the Packaging result I get "no published package detected" as reason, and for Signed-Releases I get "no releases found".

image

Reproduction steps
Steps to reproduce the behavior:

  1. Run Scorecard over one of the following projects:
  2. Check the Packaging and Signed-Releases result

You can evaluate directly those checks with scorecard --repo=tensorflow/tensorflow --checks=Packaging,Signed-Releases

Expected behavior
The evaluation should consider the releases on GitHub and give a punctuation accordingly.

@diogoteles08 diogoteles08 added the kind/bug Something isn't working label Mar 16, 2023
@evverx
Copy link
Contributor

evverx commented May 5, 2023

systemd releases unsigned tarballs at https://github.com/systemd/systemd/releases so it should get its well-deserved 0 instead of -1. Tags are signed there though.

@evverx
Copy link
Contributor

evverx commented Jun 11, 2023

I've been thinking about this. Could it be that tarballs generated by GitHub are somehow trusted and ignored because of that? https://wiki.debian.org/Creating%20signed%20GitHub%20releases (which scorecard refers to) expects people to verify them but at least systemd tried that and decided not to go forward with that systemd/systemd#2926. At this point distros caring about those things use signed git tags but realistically most distributions take systemd from its stable repository so it doesn't matter much what this check says because it isn't applicable to how systemd is normally consumed.

@evverx
Copy link
Contributor

evverx commented Jun 11, 2023

More generally since they are generated by GitHub maybe GitHub should sign them itself (ideally once it verifies that tags those tarballs are based on are properly signed). It could also generate provenance :-)

@diogoteles08
Copy link
Contributor Author

Related to #688

@pnacht
Copy link
Contributor

pnacht commented Jan 11, 2024

Glancing at the Scorecard code, it doesn't seem to disconsider the automatically-generated assets created for a release. It may be that the API they use doesn't list such assets.

That's not unreasonable (though understandably unexpected), since those assets don't really exist. They're actually generated on-the-fly via Git every time they're requested. This actually lead to a huge breakage in early 2023 when GitHub upgraded their Git version, which had itself upgraded the library it uses to generate the tarballs.

@evverx
Copy link
Contributor

evverx commented Jan 11, 2024

those assets don't really exist

I think it's a GitHub bug. It should make sure that stuff it automatically generates and distributes via its own platform can't be tampered with and also let consumers verify that. That's the essence of the supply chain security :-)

@raghavkaul
Copy link
Contributor

Related, see discussion here: https://github.com/ossf/scorecard/pull/2186/files#r951620855

@evverx
Copy link
Contributor

evverx commented Jan 11, 2024

see discussion here: https://github.com/ossf/scorecard/pull/2186/files#r951620855

I agree that scorecard should say "inconclusive" in this particular case but since those tarballs are automatically injected into releases they still should be dealt with by GitHub. Or it shouldn't generate them at all and let consumers find things with signatures instead of blindly trusting GitHub with its tarballs with unknown provenance.

@afmarcum afmarcum moved this to Backlog - Bugs in Scorecard - NEW Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
check/Signed-Releases kind/bug Something isn't working
Projects
Status: Backlog - Bugs
Development

No branches or pull requests

5 participants