logoalt Hacker News

semiquaveryesterday at 11:20 PM2 repliesview on HN

  > making it the first documented case of a self-spreading npm worm that carries valid SLSA provenance attestations
I’m sorry, but what is the point of a provenance attestation that can be generated automatically by malware? I would think that any system worth its salt would require strong cryptographic proof tying to some hardware second factor, not just “yep, this was was built on a github actions runner that had access to an ENV key.” It seems like this provenance scheme only works if the bad guys are utterly without creativity.

Replies

febusravengatoday at 7:16 AM

> This is a critical insight: SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended. A compromised build step can produce a validly-attested but malicious package.

They basically confirm that this whole provenance only proves origin. That origin was broken/flawed and was coerced to do something bad. (?)

Again, untrusted workflows can't write anywhere - cache poisoning was they key problem. If cache would be clean, release build/run would be clean too.

dborehamtoday at 1:05 AM

Proper security costs much more.