New blog post on the GitLab blog by Dov Hershkovitch. Check it out here:
I was surprised to see this with no mention of trust or verifiability given how sensitive CI/CD is. Looking through the CI/CD Catalog it seems like there should be some concept of verified or official publishers (e.g. if I’m looking for Terraform components I want to see stuff from Hashicorp, etc.), and the UI doesn’t make it easy to tell who contributes to a given project or what code corresponds to the component I’m seeing.
For example, currently this is the first item in the catalog. I know nothing about this and for all I know the people behind it are all great but as a user it’s hard to know what I’m getting:
- The project path at the top isn’t a link to the repo. The icon is but it’s not styled to indicate that. Looking for information about the project requires two clicks to get to that page and five to see the members of the project.
- The catalog does list the name of the account which published something but it’s non-trivial to tell whether that person is trustworthy, or even a person since many projects use bots and it’s non-trivial to tell whether you can trust
@project_57207371_bot_37b505f48c345d9fa09c1d6cbb67ef52. - There’s no indication of whether they follow good practices like signing commits.
- The version number does link to the 1.2.2 tag but it’s only when I click on the commit ID that I learn that the release wasn’t created from that tag because that job failed.
Again, this should not be read as anything negative about that project or anyone behind it but rather how some practices from the past probably aren’t safe to continue in the future. Thinking about this in the light of the recent xz attack which relied on a non-audited build process, I think things like CI/CD components would be a very tempting target for an attacker.
Thank you for your feedback on trust and verifiability within our CI/CD platform. Your insights are invaluable as we strive to enhance security and transparency.
We understand the importance of establishing trust in components and plan to introduce badges indicating the trust level of each component, as outlined in our roadmap. Additionally, we’re exploring ways to improve the user interface to provide clearer information about project contributors and code origins.
Thanks - I’m looking forward to seeing how it evolves.