Flutter SLSA Progress & Identity and Access Management through Infrastructure As Code

We are excited to announce several new achievements in Dart and Flutter's mission to harden security. We have achieved Supply Chain Levels for Software Artifacts (SLSA) Level 2 security on Flutter’s Cocoon application, reduced our Identity and Access Management permissions to the minimum required access, and implemented Infrastructure-as-Code to manage permissions for some of our applications. These achievements follow our recent success to enable Allstar and Security Scorecards.

Highlights

Achieving Flutter’s Cocoon SLSA level 2: Cocoon application provides continuous integration orchestration for Flutter Infrastructure. Cocoon also helps integrate several CI services with Github and provides tools to make Github development easier. Achieving SLSA Level 2 for Cocoon means we have addressed all the security concerns of levels 1 and 2 across the application. Under SLSA Level 2, Cocoon has “extra resistance to specific threats” to its supply chain. The Google Open Source Security team has audited and validated our achievement of SLSA Level 2 for Cocoon.

Implementing Identity & Access Management (IAM) via Infrastructure-as-Code: We have implemented additional security hardening features by onboarding docs-flutter-dev, master-docs-flutter-dev, and flutter-dashboard to use Identity and Access Management through an Infrastructure-as-Code system. These projects host applications, provide public documentation for Flutter, and contain a dashboard website for Flutter build status.

Using our Infrastructure-as-Code approach, security permission changes require code changes, ensuring approval is granted before the change is made. This also means that changes to security permissions are audited through source control and contain associated reasoning for the change. Existing IAM roles for these applications have been pared so that the applications follow the Principle of Least Privilege.

Advantages

• Achieving SLSA Level 2 for Cocoon means we have addressed all the security concerns of levels 1 and 2 across the application. Under SLSA Level 2, Cocoon has “extra resistance to specific threats” to its supply chain.

• Provenance is now generated for both, flutter-dashboard and auto-submit, artifacts through Cocoon’s automated build process. Provenance on these artifacts shows proof of their code source and tamper-proof build evidence. This work helps harden the security on the multiple tools used during the Cocoon build process: Google Cloud Platform, Cloudbuild, App Engine, and Artifact Registry.

• Overall we addressed 83% of all SLSA requirements across all levels for the Cocoon application. We have identified the work across the application which will need to be completed for each level and category of SLSA compliance. Because of this, we know we are well positioned to continue future work toward SLSA Level 4.

Learnings and Best Practices

1. Relatively small changes to the Cocoon application’s build process significantly increased the security of its supply chain. Google Cloud Build made this simple, since provenance metadata is created automatically during the Cloud Build process.
2. Regulating IAM permissions through code changes adds many additional benefits and can make granting first time access simpler.
3. Upgrading the SLSA level of an application sometimes requires varying efforts depending on the different factors of the application build process. Working towards SLSA level 4 will likely necessitate different configuration and code changes than required for SLSA level 2.

Coming Soon

Since this is the beginning of the Flutter and Dart journey toward greater SLSA level accomplishments, we hope to apply our learnings to more applications. We hope to begin work toward SLSA level 2 and beyond for more complex repositories like Flutter/flutter. Also, we hope to achieve an even higher level of SLSA compliance for the Cocoon application.

References

Supply Chain Levels for Software Artifacts (SLSA) is a security framework which outlines levels of supply chain security for an application as a checklist.

By Jesse Seales, Software Engineer – Dart and Flutter Security Working Group

Announcing the second group of Open Source Peer Bonus winners in 2022

We’re excited to announce our second group of Open Source Peer Bonus winners in 2022! 

The Google Open Source Peer Bonus program is designed to recognize external open source contributors nominated by Googlers for their open source contributions. This cycle, we are pleased to announce a total of 141 winners across 110+ projects, residing in 36 countries.

All open source contributors external to Google are eligible to be nominated. Whether you’re a software engineer, technical writer, community advocate, mentor, user experience designer, security expert, or educator, etc. you can be nominated for a peer bonus

Our awards often come as a surprise to some while also providing motivation to others to responsibly contribute to open source. Learn more about what the Google Open Source Peer Bonus program means to our winners from this cycle:

“It was a very nice surprise to receive the Open Source Peer Bonus notification. I hope it can help lift contributors off, not only for their code contributions but for community contributions too.” – Oriol Abril Pla, ArviZ, PyMC

“The Kubernetes and CNCF ecosystem is massive. So, there are tons of opportunities to carve out your own niche in them. One of my key goals has been to make the project(s) more secure than how they were when I joined them. These awards are a welcome sprinkle of motivation to keep being a responsible open source contributor.” – Pushkar Joglekar, Kubernetes and CNCF

“I’m very pleased and proud to receive a Google Open Source Peer Bonus award. I was nominated for my contributions to The Good Docs Project where we are creating technical writing templates to help other projects create high-quality documentation. I’m passionate about the work we’re doing there, and have been hanging around the project since its inception in 2019. This is a friendly, inclusive community creating a safe space for folk to dip their toe into open source. We are global, and new folk are always welcome.” – Felicity Brand, The Good Docs Project

“I've been actively working on open source projects since my time at NIST with the FDS project starting in 2006. More recently with The Good Docs Project (TGDP) since 2020. It's been a very rewarding experience to contribute to TGDP, with such an amazing diversity of participants, perspectives and interests involved. To be given recognition through the OSPB program was a pleasant and unexpected surprise. While it's not at all what I am participating in the project for, it feels great to have someone else in the project bring my name up for this award. Thank you to TGDP and to Google for this honor.” – Bryan Klein, The Good Docs Project

“The Open Source Peer Bonus program is more than an appreciation for our contribution to the open source world. It encourages people to share their talent. To be the hero of the ones who are benefiting from your work, put your codes in the open source world.” – Nan YE, Orange Innovation China

“The TFX team and community is by far the most responsive, helpful and knowledgeable open-source project that I have worked on. It's a great feeling to be a part of the democratizing of productionised ML workflows, and being officially recognised on your efforts and contributions is the cherry on top.” – Jens Wiren, Analytical Impact Solutions

“The HTTP Archive team is welcoming to contributors and happily showed me the ropes until I got going. The project is invaluable to the web community, and working on the Web Almanac allowed me to work with domain experts on several topics, including Performance, JavaScript, and Third Parties.” – Kevin Farrugia, HTTP Archive

“Participating in these projects has been a great learning experience and has given me the opportunity to connect with a lot of great people. I am humble and grateful for the recognition and appreciation this program gives to the contributions made to these projects.” – Ole Markus With, kOps/etcdadm

“Google has been very generous in recognising VertFlow, which is a tool still in its infancy after the idea popped into my head a few months ago in conversation with a Google Cloud Customer Engineer. I hope this will encourage users to adopt VertFlow to reduce their carbon footprint when using GCP.” – Jack Lockyer-Stevens, VertFlow

Below is the list of current winners who gave us permission to thank them publicly:

Project	Winner
abap2xlsx	Gregor Wolf
ABC A System for Sequential Synthesis and Verification	Alan Mishchenko
Accelerated HW Synthesis	Zihao Li
Agones	Daniel Oliveira
Android, Pithus, Exodus Privacy, PiRogue, Frida	Esther Onfroy
AndroidX Jetpack	Michał Zieliński
Angular	Dario Piotrowicz
Angular Language Service	Ivan Wan
Apache Airflow	Elad Kalif
Apache Beam	Alex Van Boxel
Apache Beam	Austin Bennett
Apache Beam	Moritz Mack
Apache Hop	Matt Casters
aroman	Avi Romanoff
ArviZ and PyMC	Oriol Abril Pla
Babel	Nicolò Ribaudo
Bazel	Fabian Meumertzheim
Beam	Alex Kosolapov
Blockly	Johnny Oshika
BRLTTY	Dave Mielke
Bun	Jarred Sumner
cargo-make	Sagie Gur-Ari
Chrome DevTools Frontend	Percy Ley
Chromium	Juba Borgohain
Chromium	David Sanders
Chromium	Amos Lim
ClangBuiltLinux	Nathan Chancellor
cloud-data-quality	Amandeep Singh
CNCF	Ragashree M C
Contibuting.today Open Source meetup	Floor Drees
CoreDNS and Kubernetes	Chris O'Haver
cpu_features	Mykola Hohsadze
DartPad	Tim Maffett
dbus	Simon McVittie
Dill	Mike McKerns
distroless	Ole-Martin Bratteng
Don't kill my app and merge to Google Android CTS	Petr Nálevka
ecma262	Richard Gibson
Firebase Admin .NET SDK	Levi Muriuki
Firebase Admin Node.js SDK	Igor Savin
Firebase Admin Node.js SDK	Aras Abbasi
Firebase Apple SDK	Mike Hardy
Firebase Apple SDK	Jake Krog
Firebase Apple SDK	Alex Zchut
Firebase Arduino Client Library for ESP8266 and ESP32.	Suwatchai Klakerdpol
Firebase Crashlytics	Sergio Campamá
firebase-ios-sdk	Fumito Ito
firebase-ios-sdk	Tito Ciuro
firebase-js-sdk	Andi Pätzold
fish-shell	Peter Ammon
Flashrom	Thomas Heijligen
Flashrom	Felix Singer
FreeCAD	Lei Zheng
Fuchsia	Alexander Popov
Git	Jorawar Singh
git and openssh	Fabian Stelzer
GNU Guix	Ludovic Courtès
GNU Mes	Janneke Nieuwenhuizen
go-clean-arch	Iman Tumorang
golang/protobuf	Cassondra Foesch
google-cloud-pricing-cost-calculator	Nils Knieling
gopls	Ruslan Nigmatullin
GrapheneOS	Daniel Micay
GSYVideoPlayer	Asher Guo
Hello World gRPC-Gateway	Rajiv Singh
Lichess	Thibault Duplessis
JRuby	Charles Nutter
Keras	Sayak Paul
Kernel, Wireguard	Jason Donenfeld
Knative	Mahamed Ali
Knative	Gabriel Freites
Kubernetes, CNCF	Pushkar Joglekar
Kubernetes (kOps, etcdadm etc)	Ciprian Hacman
Kubernetes (particularly kOps / etcdadm)	Ole Markus With
Kubernetes (particularly kOps / etcdadm)	Peter Rifel
Kubernetes Gateway API	Keith Mattix
KUnit/Linux kernel	Shuah Khan
Leaflet	Volodymyr Agafonkin
libyuv	Yuan Tong
lnav	Tim Stack
Log4J	Ralph Goers
Magit	Jonas Bernoulli
medium_stats	Oliver Tosky
Mockk	Oleksii Pylypenko
moja global	Harsh Bardhan Mishra
mvt (Mobile Verification Toolkit)	Claudio Guarnieri
OSS educator and collaborator	José Luis Chiquete
notcurses	nick black
Nudge	Erik Gomez
OpenSSF Allstar	Yori Yano
Oppia	Om Khandade
Oppia	Chantel Chan
OR-Tools	Xiang Chen
pcileech (and LeechCore subproject)	Ulf Frisk
Project Jupyter	Min Ragan-Kelley
Protocol Buffers	Yannic Bonenberger
pyinfra	Nick Mills-Barrett
PyPI	Jack Lockyer-Stevens
PyTorch / XLA	Ronghang Hu
QGIS	Nyall Dawson
react-native-firebase	Minsik Kim
Rich, Textualize	Will McGugan
Rust for Linux	Björn Roy Baron
sableangle	Miki Huang
Samba	David Mulder
Scorecards	Varun Sharma
Scorecards	Naveen Srinivasan
SimpleWebAuthn	Matthew Miller
SLSA	Michael Lieberman
Spock	Leonard Brünings
SQLAlchemy	Michael Bayer
stage0	Jeremiah Orians
styler	Lorenz Walthert
Surelog	Alain Dargelas
Svelte	Rich Harris
TC39	Jordan Harband
Tekton	Parth Patel
Tekton	Andrew Bayer
TensorFlow	Stefano Fabri
TensorFlow	Jason Zaman
TensorFlow Lite Examples - Android	Nan Ye
TFX	Ukjae Jeong
TFX	Jens Wiren
TFX-Addons	Gerard Casas Saez
TFX-Addons	Hannes Hapke
TFX-BSL	Martin Bomio
tfx-helper	Tomasz Mackowiak
The Good Docs Project	Aaron Peters
The Good Docs Project	Felicity Brand
The Good Docs Project	Ian Nguyen
The Good Docs Project	Bryan Klein
The Good Docs Project	Serena Jolley
Tow-Boot	Samuel Dionne-Riel
Trivy	Teppei Fukuda
TUF, CNCF	Marina Moore
V8	Ao Wang
ViSQOL	Feargus O'Gorman
W3C WebGPU standard	Mehmet Oguz Derin
wdi5	Volker Buzek
Web Almanac	Kevin Farrugia
WebRTC	Byoungchan Lee

Congratulations to our winners above and thank you for your open source contributions. We look forward to your continued support and efforts in the open source communities. Additionally, thank you to all of the Googlers who submitted nominations and our review committee members for reviewing nominations.

By Joe Sylvanovich – Google Open Source Programs Office