oss-rebuild uses a public Cloud KMS key to validate attestation signatures. Anonymous authentication is not supported so an ADC credential must be present.
I would not use this with a dependency on Google Cloud, or the gcloud command line tool.
Mainly because Google has horrible customer support.
It would be more interesting if they came up with something hosted on third party infrastructure. Last I heard, Google Cloud is run by Oracle executives
---
e.g. in particular the Unisuper incident led me to believe that a lot of operational stuff is being outsourced, and is of poor quality
UniSuper members go a week with no account access after Google Cloud misconfig
I think that's the wrong way to frame it. OSS is not meant to make you rich, and expecting that is going to bring more pain than joy. However, I do think businesses should use their success to fund their dependencies in a way that makes sense for them.
> businesses should use their success to fund their dependencies in a way that makes sense for them.
They already do, and always have. It doesn't make any sense to most of them to fund their OSS dependencies at all, because they're available for free. They should do more than what makes sense for them, and they should have to pay professional consequences if they don't.
Programmers should have enough unity to bring pressure against companies that make a lot of money from software they don't pay for. Or rather, should have had, because LLMs have changed anything.
Rebuilt to Last? It is a Google project, so I give it two years.