This is not a feature request, so it doesn't need to be reviewed. It is a place to note and link all the ideas for end-to-end supply chain security.
While this will be thought up in terms of ALP, some of it might be applicable earlier. No promises either way.
https://en.opensuse.org/openSUSE:Reproducible_Builds
verified reproducible builds, maybe as SLSA 5 https://github.com/slsa-framework/slsa/issues/5
git support for sha256 instead of sha1
Interesting, we'll discuss it today on the meeting.
Metadata Update from @lkocman: - Issue set to the milestone: ALP
Exit criteria:
This could be closed after the planning is done. We know what needs to be implemented in zypper, we know what should be implemented in OBS. This is a public tracker for progress on these items.
Metadata Update from @lkocman: - Custom field SUSE Jira - SUSE Linux Enterprise adjusted to https://jira.suse.com/browse/ALPGW-6
This is impossible to implement. The OBS part alone would require changing fundamentally how it works, since we'd need to preserve the build environments of every build like Koji does.
I do not see any fundamental change being necessary. OBS preserves the build environment of every build in the _buildenv file.
Metadata Update from @lkocman: - Issue set to the milestone: 16.0 (was: ALP)
Login to comment on this ticket.