Is your feature request related to a problem? Please describe
Currently, if a user is installing asdf from the GitHub releases URL, there's no guarantee that the assets attached to a given git tag/GitHub release will stay the same permanently. This can be mitigated to an extent using SHA hash checking, but I'm sure not all users are going to be doing that, and it'd be good to protect against attacks where GitHub release assets get swapped for malicious executables.
Describe the proposed solution
Enable immutable releases in the GitHub settings for this project, to ensure that new asdf releases going forward will always be immutable and can't be compromised for users installing asdf from the GitHub releases. It may be a good idea to do this for asdf's plugins as well, but I'm mainly interested in the main asdf repo enabling this.
Docs: https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases
You can theoretically make releases retroactively immutable, but that requires un-publishing/re-publishing and so probably isn't worth the trouble.
Describe similar asdf features and why they are not sufficient
- There is no replacement for this.
Describe other workarounds you've considered
Pinning the SHA hash works and should be fine, though not all users will be taking advantage of that and so it'd be ideal if the releases were made immutable instead.
Is your feature request related to a problem? Please describe
Currently, if a user is installing asdf from the GitHub releases URL, there's no guarantee that the assets attached to a given git tag/GitHub release will stay the same permanently. This can be mitigated to an extent using SHA hash checking, but I'm sure not all users are going to be doing that, and it'd be good to protect against attacks where GitHub release assets get swapped for malicious executables.
Describe the proposed solution
Enable immutable releases in the GitHub settings for this project, to ensure that new asdf releases going forward will always be immutable and can't be compromised for users installing asdf from the GitHub releases. It may be a good idea to do this for asdf's plugins as well, but I'm mainly interested in the main asdf repo enabling this.
Docs: https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases
You can theoretically make releases retroactively immutable, but that requires un-publishing/re-publishing and so probably isn't worth the trouble.
Describe similar
asdffeatures and why they are not sufficientDescribe other workarounds you've considered
Pinning the SHA hash works and should be fine, though not all users will be taking advantage of that and so it'd be ideal if the releases were made immutable instead.