Lack of independently verifiable and tamper evident release decisions outside the platform #191913
Replies: 2 comments 1 reply
-
|
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
|
That’s a really insightful point having release decisions as standalone, tamper-evident artifacts would definitely strengthen trust, especially for audits and offline validation. It would also reduce dependency on a single platform as the source of truth. In a similar way, systems like haha pkr game download highlight how important it is to have reliable and verifiable processes built into the core experience for better transparency and security. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the thoughtful reply and for calling out that angle. The interesting part for me has been less about visibility and more about how far a decision can be treated as a verifiable object on its own, rather than something that always needs to be interpreted through the platform that produced it. In practice, I have been experimenting with modeling the decision as a standalone artifact that is cryptographically bound to its inputs and policy, and can be verified independently and offline with clear failure if anything is altered after issuance. It is still an evolving direction, but early results suggest this approach can address exactly the gap you mentioned around auditability and platform independence without relying on logs or internal APIs. Curious to see how others are thinking about this, especially in environments where decisions need to be validated outside their original execution context. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
🏷️ Discussion Type
Product Feedback
💬 Feature/Topic Area
Supply chain security
Discussion Details
Current release decisions in GitHub whether a release is allowed or blocked can be reviewed through checks logs and audit records but they remain fundamentally tied to the platform as the source of truth
In practice this means the decision cannot be independently verified outside GitHub without relying on its data or APIs and there is no standalone record of the decision itself that can be validated in isolation
More importantly there is no way to verify the decision offline or detect if it has been altered after the fact without trusting the system that produced it
This creates a gap in scenarios where the decision needs to be treated as an artifact on its own such as audits incident analysis or cross system validation where independence from the originating platform is required
The distinction here is between verifying an artifact and verifying the decision that allowed that artifact to exist since current approaches focus on provenance and attestations but do not address the decision as a verifiable object
Is there any direction toward making release decisions themselves independently verifiable tamper evident and usable for offline validation rather than remaining platform bound records
I have been exploring an approach where the decision is captured as a standalone verifiable artifact but I am interested in how GitHub views this direction from a product and security perspective
Beta Was this translation helpful? Give feedback.
All reactions