opensource.google.com

Menu

Flutter SLSA Progress & Identity and Access Management through Infrastructure As Code

Tuesday, October 4, 2022

We are excited to announce several new achievements in Dart and Flutter's mission to harden security. We have achieved Supply Chain Levels for Software Artifacts (SLSA) Level 2 security on Flutter’s Cocoon application, reduced our Identity and Access Management permissions to the minimum required access, and implemented Infrastructure-as-Code to manage permissions for some of our applications. These achievements follow our recent success to enable Allstar and Security Scorecards.

Highlights

Achieving Flutter’s Cocoon SLSA level 2: Cocoon application provides continuous integration orchestration for Flutter Infrastructure. Cocoon also helps integrate several CI services with Github and provides tools to make Github development easier. Achieving SLSA Level 2 for Cocoon means we have addressed all the security concerns of levels 1 and 2 across the application. Under SLSA Level 2, Cocoon has “extra resistance to specific threats” to its supply chain. The Google Open Source Security team has audited and validated our achievement of SLSA Level 2 for Cocoon.


Implementing Identity & Access Management (IAM) via Infrastructure-as-Code: We have implemented additional security hardening features by onboarding docs-flutter-dev, master-docs-flutter-dev, and flutter-dashboard to use Identity and Access Management through an Infrastructure-as-Code system. These projects host applications, provide public documentation for Flutter, and contain a dashboard website for Flutter build status.

Using our Infrastructure-as-Code approach, security permission changes require code changes, ensuring approval is granted before the change is made. This also means that changes to security permissions are audited through source control and contain associated reasoning for the change. Existing IAM roles for these applications have been pared so that the applications follow the Principle of Least Privilege.

Advantages

  • Achieving SLSA Level 2 for Cocoon means we have addressed all the security concerns of levels 1 and 2 across the application. Under SLSA Level 2, Cocoon has “extra resistance to specific threats” to its supply chain.
  • Provenance is now generated for both, flutter-dashboard and auto-submit, artifacts through Cocoon’s automated build process. Provenance on these artifacts shows proof of their code source and tamper-proof build evidence. This work helps harden the security on the multiple tools used during the Cocoon build process: Google Cloud Platform, Cloudbuild, App Engine, and Artifact Registry.
  • Overall we addressed 83% of all SLSA requirements across all levels for the Cocoon application. We have identified the work across the application which will need to be completed for each level and category of SLSA compliance. Because of this, we know we are well positioned to continue future work toward SLSA Level 4.

Learnings and Best Practices

  1. Relatively small changes to the Cocoon application’s build process significantly increased the security of its supply chain. Google Cloud Build made this simple, since provenance metadata is created automatically during the Cloud Build process.
  2. Regulating IAM permissions through code changes adds many additional benefits and can make granting first time access simpler.
  3. Upgrading the SLSA level of an application sometimes requires varying efforts depending on the different factors of the application build process. Working towards SLSA level 4 will likely necessitate different configuration and code changes than required for SLSA level 2.

Coming Soon

Since this is the beginning of the Flutter and Dart journey toward greater SLSA level accomplishments, we hope to apply our learnings to more applications. We hope to begin work toward SLSA level 2 and beyond for more complex repositories like Flutter/flutter. Also, we hope to achieve an even higher level of SLSA compliance for the Cocoon application.

References

Supply Chain Levels for Software Artifacts (SLSA) is a security framework which outlines levels of supply chain security for an application as a checklist.

By Jesse Seales, Software Engineer – Dart and Flutter Security Working Group

Announcing the second group of Open Source Peer Bonus winners in 2022

Monday, October 3, 2022

We’re excited to announce our second group of Open Source Peer Bonus winners in 2022! 
The Google Open Source Peer Bonus program is designed to recognize external open source contributors nominated by Googlers for their open source contributions. This cycle, we are pleased to announce a total of 141 winners across 110+ projects, residing in 36 countries.
All open source contributors external to Google are eligible to be nominated. Whether you’re a software engineer, technical writer, community advocate, mentor, user experience designer, security expert, or educator, etc. you can be nominated for a peer bonus

Our awards often come as a surprise to some while also providing motivation to others to responsibly contribute to open source. Learn more about what the Google Open Source Peer Bonus program means to our winners from this cycle:

“It was a very nice surprise to receive the Open Source Peer Bonus notification. I hope it can help lift contributors off, not only for their code contributions but for community contributions too.” – Oriol Abril Pla, ArviZ, PyMC

“The Kubernetes and CNCF ecosystem is massive. So, there are tons of opportunities to carve out your own niche in them. One of my key goals has been to make the project(s) more secure than how they were when I joined them. These awards are a welcome sprinkle of motivation to keep being a responsible open source contributor.” – Pushkar Joglekar, Kubernetes and CNCF

“I’m very pleased and proud to receive a Google Open Source Peer Bonus award. I was nominated for my contributions to The Good Docs Project where we are creating technical writing templates to help other projects create high-quality documentation. I’m passionate about the work we’re doing there, and have been hanging around the project since its inception in 2019. This is a friendly, inclusive community creating a safe space for folk to dip their toe into open source. We are global, and new folk are always welcome.” – Felicity Brand, The Good Docs Project

“I've been actively working on open source projects since my time at NIST with the FDS project starting in 2006. More recently with The Good Docs Project (TGDP) since 2020. It's been a very rewarding experience to contribute to TGDP, with such an amazing diversity of participants, perspectives and interests involved. To be given recognition through the OSPB program was a pleasant and unexpected surprise. While it's not at all what I am participating in the project for, it feels great to have someone else in the project bring my name up for this award. Thank you to TGDP and to Google for this honor.” – Bryan Klein, The Good Docs Project

“The Open Source Peer Bonus program is more than an appreciation for our contribution to the open source world. It encourages people to share their talent. To be the hero of the ones who are benefiting from your work, put your codes in the open source world.” – Nan YE, Orange Innovation China

“The TFX team and community is by far the most responsive, helpful and knowledgeable open-source project that I have worked on. It's a great feeling to be a part of the democratizing of productionised ML workflows, and being officially recognised on your efforts and contributions is the cherry on top.” – Jens Wiren, Analytical Impact Solutions

“The HTTP Archive team is welcoming to contributors and happily showed me the ropes until I got going. The project is invaluable to the web community, and working on the Web Almanac allowed me to work with domain experts on several topics, including Performance, JavaScript, and Third Parties.” – Kevin Farrugia, HTTP Archive

“Participating in these projects has been a great learning experience and has given me the opportunity to connect with a lot of great people. I am humble and grateful for the recognition and appreciation this program gives to the contributions made to these projects.” – Ole Markus With, kOps/etcdadm

“Google has been very generous in recognising VertFlow, which is a tool still in its infancy after the idea popped into my head a few months ago in conversation with a Google Cloud Customer Engineer. I hope this will encourage users to adopt VertFlow to reduce their carbon footprint when using GCP.” – Jack Lockyer-Stevens, VertFlow

Below is the list of current winners who gave us permission to thank them publicly:

Project

Winner

abap2xlsx

Gregor Wolf

ABC A System for Sequential Synthesis and Verification

Alan Mishchenko

Accelerated HW Synthesis

Zihao Li

Agones

Daniel Oliveira

Android, Pithus, Exodus Privacy, PiRogue, Frida

Esther Onfroy

AndroidX Jetpack

Michał Zieliński

Angular

Dario Piotrowicz

Angular Language Service

Ivan Wan

Apache Airflow

Elad Kalif

Apache Beam

Alex Van Boxel

Apache Beam

Austin Bennett

Apache Beam

Moritz Mack

Apache Hop

Matt Casters

aroman

Avi Romanoff

ArviZ and PyMC

Oriol Abril Pla

Babel

Nicolò Ribaudo

Bazel

Fabian Meumertzheim

Beam

Alex Kosolapov

Blockly

Johnny Oshika

BRLTTY

Dave Mielke

Bun

Jarred Sumner

cargo-make

Sagie Gur-Ari

Chrome DevTools Frontend

Percy Ley

Chromium

Juba Borgohain

Chromium

David Sanders

Chromium

Amos Lim

ClangBuiltLinux

Nathan Chancellor

cloud-data-quality

Amandeep Singh

CNCF

Ragashree M C

Contibuting.today Open Source meetup

Floor Drees

CoreDNS and Kubernetes

Chris O'Haver

cpu_features

Mykola Hohsadze

DartPad

Tim Maffett

dbus

Simon McVittie

Dill

Mike McKerns

distroless

Ole-Martin Bratteng

Don't kill my app and merge to Google Android CTS

Petr Nálevka

ecma262

Richard Gibson

Firebase Admin .NET SDK

Levi Muriuki

Firebase Admin Node.js SDK

Igor Savin

Firebase Admin Node.js SDK

Aras Abbasi

Firebase Apple SDK

Mike Hardy

Firebase Apple SDK

Jake Krog

Firebase Apple SDK

Alex Zchut

Firebase Arduino Client Library for ESP8266 and ESP32.

Suwatchai Klakerdpol

Firebase Crashlytics

Sergio Campamá

firebase-ios-sdk

Fumito Ito

firebase-ios-sdk

Tito Ciuro

firebase-js-sdk

Andi Pätzold

fish-shell

Peter Ammon

Flashrom

Thomas Heijligen

Flashrom

Felix Singer

FreeCAD

Lei Zheng

Fuchsia

Alexander Popov

Git

Jorawar Singh

git and openssh

Fabian Stelzer

GNU Guix

Ludovic Courtès

GNU Mes

Janneke Nieuwenhuizen

go-clean-arch

Iman Tumorang

golang/protobuf

Cassondra Foesch

google-cloud-pricing-cost-calculator

Nils Knieling

gopls

Ruslan Nigmatullin

GrapheneOS

Daniel Micay

GSYVideoPlayer

Asher Guo

Hello World gRPC-Gateway

Rajiv Singh

Lichess

Thibault Duplessis

JRuby

Charles Nutter

Keras

Sayak Paul

KernelWireguard

Jason Donenfeld

Knative

Mahamed Ali

Knative

Gabriel Freites

Kubernetes, CNCF

Pushkar Joglekar

Kubernetes (kOps, etcdadm etc)

Ciprian Hacman

Kubernetes (particularly kOps / etcdadm)

Ole Markus With

Kubernetes (particularly kOps / etcdadm)

Peter Rifel

Kubernetes Gateway API

Keith Mattix

KUnit/Linux kernel

Shuah Khan

Leaflet

Volodymyr Agafonkin

libyuv

Yuan Tong

lnav

Tim Stack

Log4J

Ralph Goers

Magit

Jonas Bernoulli

medium_stats

Oliver Tosky

Mockk

Oleksii Pylypenko

moja global

Harsh Bardhan Mishra

mvt (Mobile Verification Toolkit)

Claudio Guarnieri

OSS educator and collaborator

José Luis Chiquete

notcurses

nick black

Nudge

Erik Gomez

OpenSSF Allstar

Yori Yano

Oppia

Om Khandade

Oppia

Chantel Chan

OR-Tools

Xiang Chen

pcileech (and LeechCore subproject)

Ulf Frisk

Project Jupyter

Min Ragan-Kelley

Protocol Buffers

Yannic Bonenberger

pyinfra

Nick Mills-Barrett

PyPI

Jack Lockyer-Stevens

PyTorch / XLA

Ronghang Hu

QGIS

Nyall Dawson

react-native-firebase

Minsik Kim

Rich, Textualize

Will McGugan

Rust for Linux

Björn Roy Baron

sableangle

Miki Huang

Samba

David Mulder

Scorecards

Varun Sharma

Scorecards

Naveen Srinivasan

SimpleWebAuthn

Matthew Miller

SLSA

Michael Lieberman

Spock

Leonard Brünings

SQLAlchemy

Michael Bayer

stage0

Jeremiah Orians

styler

Lorenz Walthert

Surelog

Alain Dargelas

Svelte

Rich Harris

TC39

Jordan Harband

Tekton

Parth Patel

Tekton

Andrew Bayer

TensorFlow

Stefano Fabri

TensorFlow

Jason Zaman

TensorFlow Lite Examples - Android

Nan Ye

TFX

Ukjae Jeong

TFX

Jens Wiren

TFX-Addons

Gerard Casas Saez

TFX-Addons

Hannes Hapke

TFX-BSL

Martin Bomio

tfx-helper

Tomasz Mackowiak

The Good Docs Project

Aaron Peters

The Good Docs Project

Felicity Brand

The Good Docs Project

Ian Nguyen

The Good Docs Project

Bryan Klein

The Good Docs Project

Serena Jolley

Tow-Boot

Samuel Dionne-Riel

Trivy

Teppei Fukuda

TUF, CNCF

Marina Moore

V8

Ao Wang

ViSQOL

Feargus O'Gorman

W3C WebGPU standard

Mehmet Oguz Derin

wdi5

Volker Buzek

Web Almanac

Kevin Farrugia

WebRTC

Byoungchan Lee

Congratulations to our winners above and thank you for your open source contributions. We look forward to your continued support and efforts in the open source communities. Additionally, thank you to all of the Googlers who submitted nominations and our review committee members for reviewing nominations.

By Joe Sylvanovich – Google Open Source Programs Office
.