1. 4

  2. 4

    So they pull open source, scan and fix it, and let you pull from them instead from public repositories. Quote:

    Assured OSS service:

    are regularly scanned, analyzed, and fuzz-tested for vulnerabilities

    have corresponding enriched metadata incorporating Container/Artifact Analysis data

    are built with Cloud Build including evidence of verifiable SLSA-compliance

    are verifiably signed by Google

    are distributed from an Artifact Registry secured and protected by Google

    I really hope they will contribute back those issues that they find in packages.

    1. 3

      Well, nothing there says they will actually fix anything, just that they will look for it harder. They might end up just reporting issues to mainstream, or just making the issues public, which is already a win.