You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As an operating system, talos linux is a critical part of the system if used for production workloads. As that, it is important to verify the integrity of the system (and developers). With that being said, I suggest the following changes to increase security for this amazing piece of software.
Asset checksums
I suggest that we're adding checksums to the asset downloads on the release page. This can be used to verify that a downloaded file has not tampered with in transit. This is generally a best practice when downloading critical software and prevents a range of attacks that could compromise the asset.
Canary
In order to increase trust in Talos linux, I suggest that siderolabs adds a canary statement to verify that a release does not contain a backdoor or other types of desired malware. In the many countries, law enforcement can seize property (like Talos as IP) and modify / redistribute it with backdoors. They can require you to not speak out but can't require you to take certain actions (such as signing with a PGP key etc).
Long story short, I think a critical piece of infrastructure such as an OS should provide a canary statement that no such incident took place. Wh0nix is such an example, providing a canary incl. recent headlines to prove it's recent.
The text was updated successfully, but these errors were encountered:
Most critical release assets are reproducible, so you can build it yourself from source and compare to the released assets. This provides better protection/trust than any other measures.
Feature Request
As an operating system, talos linux is a critical part of the system if used for production workloads. As that, it is important to verify the integrity of the system (and developers). With that being said, I suggest the following changes to increase security for this amazing piece of software.
Asset checksums
I suggest that we're adding checksums to the asset downloads on the release page. This can be used to verify that a downloaded file has not tampered with in transit. This is generally a best practice when downloading critical software and prevents a range of attacks that could compromise the asset.Canary
In order to increase trust in Talos linux, I suggest that siderolabs adds a canary statement to verify that a release does not contain a backdoor or other types of desired malware. In the many countries, law enforcement can seize property (like Talos as IP) and modify / redistribute it with backdoors. They can require you to not speak out but can't require you to take certain actions (such as signing with a PGP key etc).
Long story short, I think a critical piece of infrastructure such as an OS should provide a canary statement that no such incident took place. Wh0nix is such an example, providing a canary incl. recent headlines to prove it's recent.
The text was updated successfully, but these errors were encountered: