You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The aqtinstall project includes not only building and running unit tests in CI but also installing Qt and building sample projects. Additionally, the release process is fully automated through GitHub Actions-based continuous delivery (CD). This ensures that the process of building the Python wheel packages used by the project and generating the aqt.exe binary is fully observable and free from manual intervention.
Addressing Software Supply Chain Security
In recent years, the Python community has been increasingly focused on the security of the software supply chain, including SBOM (Software Bill of Materials). This is due to the rise of security threats such as typo-squatting attacks, which involve publishing malicious packages with names similar to legitimate ones, and attacks targeting software development and delivery processes.
To counter these threats, the Python Software Foundation (PSF) recommends using Trusted Publishers for PyPI package publication.
I aim to align with this recommended practice for package publication in the aqtinstall project.
Ensuring Installer Trustworthiness
Given the nature of this project as an installer, I believe it is not enough to simply ensure secure publication via CI/CD. Even if the installer software itself is free of issues, vulnerabilities in the software it installs could still pose significant security risks.
To mitigate this, the aqtinstall software retrieves SHA256 checksums from the Qt Foundation's official software distribution server at download.qt.io and verifies the artifacts downloaded from mirror sites against these checksums. This ensures that the artifacts match those distributed by the Qt Foundation.
Installation Testing and Limitations
By performing Qt package installations and building sample projects during CI, the project guarantees that installation works correctly for tested versions. However, due to the variety of operating systems, CPU architectures, and Qt versions, the scope of testing is inherently limited.
Currently, testing is conducted within the free credits provided by Azure Pipelines and GitHub Actions for open-source projects. As such, it is challenging to expand the scope of testing further at this time.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The aqtinstall project includes not only building and running unit tests in CI but also installing Qt and building sample projects. Additionally, the release process is fully automated through GitHub Actions-based continuous delivery (CD). This ensures that the process of building the Python wheel packages used by the project and generating the
aqt.exebinary is fully observable and free from manual intervention.Addressing Software Supply Chain Security
In recent years, the Python community has been increasingly focused on the security of the software supply chain, including SBOM (Software Bill of Materials). This is due to the rise of security threats such as typo-squatting attacks, which involve publishing malicious packages with names similar to legitimate ones, and attacks targeting software development and delivery processes.
To counter these threats, the Python Software Foundation (PSF) recommends using Trusted Publishers for PyPI package publication.
I aim to align with this recommended practice for package publication in the aqtinstall project.
Ensuring Installer Trustworthiness
Given the nature of this project as an installer, I believe it is not enough to simply ensure secure publication via CI/CD. Even if the installer software itself is free of issues, vulnerabilities in the software it installs could still pose significant security risks.
To mitigate this, the aqtinstall software retrieves SHA256 checksums from the Qt Foundation's official software distribution server at
download.qt.ioand verifies the artifacts downloaded from mirror sites against these checksums. This ensures that the artifacts match those distributed by the Qt Foundation.Installation Testing and Limitations
By performing Qt package installations and building sample projects during CI, the project guarantees that installation works correctly for tested versions. However, due to the variety of operating systems, CPU architectures, and Qt versions, the scope of testing is inherently limited.
Currently, testing is conducted within the free credits provided by Azure Pipelines and GitHub Actions for open-source projects. As such, it is challenging to expand the scope of testing further at this time.
Beta Was this translation helpful? Give feedback.
All reactions