New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SSDF Epic] A: Secure Adoptium #126
Comments
For A.1.1, Adoptium has a support policy on: https://adoptium.net/support.html Action Items
|
Adoptium support policy page was updated alongside the website revamp. Here's an updated list of notable items:
|
Noting here I plan to investigate A.1.2 |
For A.1.2: Monitor and ensure the integrity of customer-facing repositories: Customer facing repositories that Adoptium directly controls the uploading of artifacts to include:
Customer facing API that Adoptium controls and users can download artifacts from include: All of the items above should be monitored to ensure the continued integrity of Adoptium artifacts that users can download onto their machines. A possible solution is to periodically download the artifacts (binary, sha file, metadata, etc.), and when applicable, verify them against an internal 'vault' copy. This should also be done using the API to monitor the integrity of that service. Note: Third party distributors such as SDKMan/Chocolatey that take our binaries and redistribute them are not of concern for this issue. Note: The json metadata provided by vendors for the Marketplace already includes public/private key checking |
This issue tracks the A SSDF items and will also contain more detail for them:
Work that addresses these items can reference this epic issue.
The text was updated successfully, but these errors were encountered: