[Security] Add canary statement #8710
Comments
|
Most critical release assets are reproducible, so you can build it yourself from source and compare to the released assets. This provides better protection/trust than any other measures. The reproducible assets are:
Every other asset can be produced from the above. |
|
There are sha256sum.txt sha512sum.txt |
|
@steverfrancis yes correct - I must've missed these three times while looking through the list. Excellent! |
replicadse
changed the title
replicadse
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Request
As an operating system, talos linux is a critical part of the system if used for production workloads. As that, it is important to verify the integrity of the system (and developers). With that being said, I suggest the following changes to increase security for this amazing piece of software.
Asset checksums
I suggest that we're adding checksums to the asset downloads on the release page. This can be used to verify that a downloaded file has not tampered with in transit. This is generally a best practice when downloading critical software and prevents a range of attacks that could compromise the asset.Canary
In order to increase trust in Talos linux, I suggest that siderolabs adds a canary statement to verify that a release does not contain a backdoor or other types of desired malware. In the many countries, law enforcement can seize property (like Talos as IP) and modify / redistribute it with backdoors. They can require you to not speak out but can't require you to take certain actions (such as signing with a PGP key etc).
Long story short, I think a critical piece of infrastructure such as an OS should provide a canary statement that no such incident took place. Wh0nix is such an example, providing a canary incl. recent headlines to prove it's recent.
The text was updated successfully, but these errors were encountered: