Using artifact attestations to establish provenance for builds

[harism]

I came across this following link describing the currently in public beta feature to use artifact assestations to establish provenance for builds here on GitHub; https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

And the generation for these assessments, SBOM and signing those should be somewhat straightforward using GitHub Actions CI already now if I understood correctly, and thus I started to wonder would Hono benefit of this kind of supply chain securing too now as an somewhat early adopter already?

I didn't figure it out yet how this would affect publishing the releases to Docker or Maven, where I would expect these assessments are needed to be linked at, but all in all it should be possible to adopt this security measurement on some SLSA build level at least somewhat easily to my best understanding.

[sophokles73]

I would advise (commercial) adopters to build the container images from source themselves when deploying to a production environment. In such an environment you will want to re-build the images frequently in order to take advantage of updated dependencies that contain the latest fixes. IMHO the artifacts published to Maven Central do not have much value except for building demos or command line clients.