Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: High Signed-Releases score given to project that only signed releases long time ago #3439

Closed
diogoteles08 opened this issue Sep 1, 2023 · 3 comments
Labels
check/Signed-Releases kind/bug Something isn't working

Comments

@diogoteles08
Copy link
Contributor

diogoteles08 commented Sep 1, 2023

Describe the bug
I've bumped into a case of a repository that have published some signed releases years ago, but all their last 10 releases are not signed. In this case, Scorecard is still granting a 8/10 score on Signed-Releases

Reproduction steps
Steps to reproduce the behavior:

  1. Run the following command to run Scorecard on project github.com/AcademySoftwareFoundation/openexr
scorecard --repo=http://github.com/AcademySoftwareFoundation/openexr --checks=Signed-Releases --show-details --format=json | jq .
  1. Note that the project scores 8/10 on Signed releases because of the signed artifacts of he releases v2.4.2, v2.5.2, v2.5.3 , but the current version of the project is v3.2.0, and there were several different releases between them.

Expected behavior
The score 8/10 is given to any project that signs their releases but don't emit a provenance. However, this check should consider mostly the most recents releases, not only old ones.

@diogoteles08 diogoteles08 added the kind/bug Something isn't working label Sep 1, 2023
@spencerschrock
Copy link
Member

Possible duplicate of #2169?

@raghavkaul
Copy link
Contributor

The last release with any signing artifacts was v2.5.3, since then the releases are source code-only (only tar/zip files, which GitHub creates automatically), so we don't require them to be signed, since we implicitly trust GitHub/GitLab to zip correctly. Opened a PR to clarify this in our docs.

@diogoteles08
Copy link
Contributor Author

Oh that makes sense, thanks for letting us know and creating the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
check/Signed-Releases kind/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants