When releasing a new version, a zip file is constructed containing the release and a "GitHub Release" is created for a repo (for example, see the v1.0 release).
Unfortunately, anyone with write access to the caliptra-sw or caliptra-rtl repositories can modify the released artifacts, without any additional review or audit logging. You can imagine a scenario where an insider modifies the release to add a backdoor, a vendor downloads the release to integrate in their project, and later the insider switches the binary back to the original version to hide the evidence.
Potential solutions:
- Delete all releases and require vendors to checkout the repo.
- Publish artifacts into a "caliptra-releases" git repo.
- Publish artifacts to our GitHub Pages site.
When releasing a new version, a zip file is constructed containing the release and a "GitHub Release" is created for a repo (for example, see the v1.0 release).
Unfortunately, anyone with write access to the caliptra-sw or caliptra-rtl repositories can modify the released artifacts, without any additional review or audit logging. You can imagine a scenario where an insider modifies the release to add a backdoor, a vendor downloads the release to integrate in their project, and later the insider switches the binary back to the original version to hide the evidence.
Potential solutions: