I-Sigstore, insiza yamahhala yokuqinisekisa umsuka nokuba yiqiniso kwesoftware

Darkcrizt

Imizuzu ye-4

Ngomzamo wokuthola ukuthengwa kwamahhala kwesoftware, i- Isisekelo se-Linux (inhlangano engenzi nzuzo ekhuthaza ukusungula okusha ngomthombo ovulekile) ubambisene neRed Hat, Google, nePurdue University ukwethula iphrojekthi entsha yokusiza onjiniyela bamukele kalula isiginesha ye-cryptographic kwisoftware.

Este iphrojekthi entsha kusekelwa ubuchwepheshe obubonisa ngokusobala, njengezinga lokwanda lokwamukelwa kwezimboni elikhulayo lesoftware yomthombo, iphrojekthi, I-Sigstore, ihlose ukuvimbela ukuhlaselwa kwendawo yokugcina isoftware yomphakathi ekujojeleni ikhodi eyonakele ku-supply chain.

I-Sigstore kuzovumela abathuthukisi be-software ukuthi basayine ngokuphepha izinto zobuciko zesoftware ezinjengamafayela wenguqulo, izithombe zeziqukathi, kanye nama-binaries. Kuyashiwo ukuthi izinto ezisayiniwe zigcinwa kumagazini womphakathi angenabufakazi.

I-SigStore ifuna ukunika amandla onjiniyela ukuthi baqonde futhi baqinisekise umsuka nokuba yiqiniso kwesoftware esekwe kusethi yezindlela ezahlukahlukene nezindlela zedatha. Izixazululo ezikhona zivame ukususelwa "ezifingqweni" (i-hash noma imiphumela yomsebenzi we-hash) egcinwe kumasistimu angazethembi, angonakaliswa futhi aholele ekuhlaselweni okuhlukahlukene, njengokushintshaniswa kwe-hashi noma ukusebenza kwe-hash, ukuhlaselwa okuqondiswe kubasebenzisi.

Ukusetshenziswa kwensiza kuzoba mahhala kubo bonke abathuthukisi be-software kanye nabathengisi, futhi umphakathi we-SigStore uzothuthukisa ikhodi namathuluzi okusebenza we-sigstore. IRed Hat, iGoogle nePurdue University baphakathi kwamalungu asungula iphrojekthi.

"ISigstore inika amandla yonke imiphakathi evulelekile ukuthi isayine isoftware yayo futhi ihlanganise iprovenance, ubuqotho nokutholakala kwayo ukuze yakhe ubuchwepheshe obusobala futhi obuqinisekisiwe," kusho uLuke Hinds, isikhulu sezokuphepha, ehhovisi leRed Hat CTO. "Ngokusingatha lokhu kusebenzisana kwaLinux Foundation, singasheshisa umsebenzi wethu wokuthengisa izitolo bese sisekela ukwamukelwa okuqhubekayo nomthelela wesoftware yomthombo ovulekile nentuthuko."

“Ukuqinisekisa ukuthi i-software iyasetshenziswa kufanele kuqale ngokuqinisekisa ukuthi sisebenzisa isoftware esicabanga ukuthi sinayo. I-sigstore imele ithuba elihle lokuletha ukwethembana okukhulu kanye nokwenza izinto obala ku-source source supply supply chain, ”kusho uJosh Aas,

Ukuphikisana ngokuthi ukuthengwa kwesoftware yanamuhla kuvezwe ezingozini eziningi, iphrojekthi ithi amathuluzi akhona, okubandakanya abantu ukuhlangana mathupha ukusayina okhiye, futhi okusebenze kahle isikhathi eside, ngeke isatholakala endaweni yanamuhla enezindawo ezihlakazeke ngokwendawo.

Futhi, kushiwo lokho kunamaphrojekthi womthombo ovulekile ambalwa kakhulu asayina i-cryptographically software version artifacts. Lokhu kungenxa yezinselelo ababheki bezinhlelo ze-software ababhekana nazo ekuphathweni okubalulekile, ukuyekethisa okubalulekile, ukuhoxiswa nokusatshalaliswa kokhiye bomphakathi kanye nezinto zakudala ze-hash. Lokhu kusho ukuthi abasebenzisi kumele bathole ukuthi iziphi izinkinobho zokuthembela futhi bafunde izinyathelo ezidingekayo ukuqinisekisa isiginesha.

“I-Sigstore ihlose ukwenza zonke izinhlobo zesoftware yomthombo ovulekile iqinisekiswe nokwenza lula ukuqinisekiswa ngabasebenzisi. Siyethemba ukuthi lokhu singakwenza kube lula njengokuphuma e-vim, ”kusho uDan Lorenc, unjiniyela wesoftware ethimbeni elivulekile lezokuphepha le-Google. 

Enye inkinga ukuthi ama-hashes nezikhiye zomphakathi zisatshalaliswa kanjani: zivame ukugcinwa kumawebhusayithi angahle angene ngokugqekeziwe noma kufayela le-README elitholakala endaweni yokugcina yomphakathi ye-git.

I-SigStore ifuna ukubhekana nalezi zinkinga ngokusebenzisa okhiye be-ephemeral abaphila isikhashana ngempande yokwethembana ethathwe kwirejista yokubonisa okusobala yomphakathi evulekile futhi eqinisekisiwe. Insiza entsha izosiza abathuthukisi nabasebenzisi baqonde futhi baqinisekise imvelaphi nobuqotho besoftware, enekhanda elincane.

“Ngijabule kakhulu ngohlelo olufana ne-sigstore. Uhlelo lwe-ecosystem lwesoftware ludinga ngokuphuthumayo uhlelo olunjalo ukubika ngesimo se-supply chain. Ngicabanga ukuthi nge-sigstore, ephendula yonke imibuzo ephathelene nemithombo yesoftware nobunikazi, singaqala ukubuza imibuzo ngezindawo okungena kuzo ama-software, abathengi, ukuthobela (okusemthethweni nokunye), ukuthola amanethiwekhi obugebengu nokuvikela izingqalasizinda ezibucayi zesoftware. ”, Kusho uSantiago Torres-Arias


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.