Evidence collection for Releases - link for Release build
Problem to solve
As part of the need to comply with different SDLC and security standards, we wish to provide the users with the data needed in order to serve as evidence of the SW chain of custody.
The data already exists within Gitlab but we want to make it easy to find and presentable for the users.
Target audience
Release Managers, compliance and security teams
Further details
In order to prove (for example in an audit), that the release version is consistent over time, many times the checksum is needed. SHA256/SHA512 is usually used (MD5 is not as secure)
Commit-ish/Tree-ish | Examples |
---|---|
1. <sha1>
|
dae86e1950b1277e545cee180551750029cfe735 |
2. <describeOutput>
|
v1.7.4.2-679-g3bee7fb |
3.<refname>
|
master, heads/master, refs/heads/master |
4. <refname>@{<date>}
|
master@{yesterday}, HEAD@{5 minutes ago} |
5. <refname>@{<n>}
|
master@{1} |
6. @{<n>}
|
@{1} |
7. @{-<n>}
|
@{-1} |
8. <refname>@{upstream}
|
master@{upstream}, @{u} |
9. <rev>^
|
HEAD^, v1.5.1^0 |
10. <rev>~<n>
|
master~3 |
11. <rev>^{<type>}
|
v0.99.8^{commit} |
12.<rev>^{}
|
v0.99.8^{} |
13. <rev>^{/<text>}
|
HEAD^{/fix nasty bug} |
14. :/<text>
|
:/fix nasty bug |
Proposal
Add new kind of entity called evidence
to releases. These entities should contain the raw materials, not links, and should include a strong checksum gathered at the time the release was created to ensure they cannot be tampered with later.
For the first iteration (release 12.4), we will provide:
- A snapshot of the release JSON and its SHA256. The content is still to be defined, but it'll probably include details of the release, the associated milestones, the project, etc. Here's a placeholder for this JSON until we define what it'll really be:
{
"release": {
"id": 12345,
"tag": "v3.4.0",
"name": "New release",
"project": "Project name",
"released_at": "2019-06-28 13:23:40 UTC",
"milestones": [
{
"id": 11,
...
},
{
"id": 12,
...
},
]
}
}
- A link to the external location of the *.exe or installation file of the build/release: (the link itself is not strong enough to be evidence, but can help find it easily during n audit)
"links":[ { "id":3, "name":"hoge", "url":"https://google.com", "external":true }
In a later phase we will research how we can get the actual checksum of the installation file and/or package
What does success look like, and how can we measure that?
TBD
Links / references
TBD