Monthly Archives: October 2021

Reminder: Editing in classic Google Sites will no longer be available starting December 1, 2021 and classic Sites will no longer be viewable beginning January 1, 2021

What’s changing 

As previously announced, we are replacing classic Google Sites with new Google Sites. To avoid disruption, please make sure all of your existing classic Sites are migrated by December 31, 2021

We’d like to remind you that: 
  • Starting December 1, 2021: you will no longer be able to edit any remaining classic Google Sites in your domain. 
  • Starting January 1, 2022: classic Google Sites will no longer be viewable unless they are converted to new Google Sites. Any remaining classic Sites will automatically be: 
    • Downloaded as an archive and saved to the website owner’s Google Drive. 
    • Replaced with a draft in the new Google Sites for site owners to review and publish. 

See below for more information.

Who’s impacted

Admins and end users 

Why it’s important

To ensure your organization’s classic Sites content continues to be viewable without interruption, make sure all your existing classic Sites are migrated by December 31, 2021. If you haven’t already done so, enable new Sites creation for your organization.

We anticipate the transition process for all remaining classic Sites that starts on January 1, 2022 will take up to three months to complete. Admins will receive an email notification once this is completed for their domain. During the transition period, you and your users will still be able to migrate remaining classic Sites that have not already been auto-migrated.

If you don’t take any action, the changes outlined in the transition timeline above will automatically be applied to your domain. Use our Help Center to learn more about the transition from classic Sites to new Sites.

Additional details

Some sites may not be automatically replaced with a draft in new Google Sites due to page count limits or other factors. Please see this Help Center article for more information and to determine if your site is impacted and action is needed before December 31, 2021.

Getting started

  • Admins: 
    • Use the Classic Sites Manager to help your users make the transition. Using this console, admins can: 
      • View all classic Sites in your domain with the option to export to Google Sites for project management. 
      • Convert, archive, restore, or delete your websites, individually or in bulk. 
      • Bulk update ownership of sites.

Chrome for Android Update

Hi, everyone! We've just released Chrome 95 (95.0.4638.50) for Android: it'll become available on Google Play over the next few days.

This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.

Ben Mason
Google Chrome

Easily add to Google Docs with the new universal @ menu

What’s changing 

As part of our mission to build the future of work, smart canvas enables new ways to collaborate in Google Workspace. This includes smart chips, which enable you to add interactive building blocks to connect people, content, and events into one seamless experience. 

Now, we’ve added a universal insertion menu to easily add things like tables and images, in addition to smart chips, directly in Google Docs. Simply type “@”, and you’ll see a list of recommended files, people, meetings, as well as different content elements and formats to insert into your work. You can also search all available components. 

Typing @ to add to Google Docs

Who’s impacted 

End users 

Why it matters 

A quick and simple way to add rich elements to your content, the universal @ menu makes it easy to preview and read relevant documents, find associated meetings and stakeholders, add tables and images, and more, directly from Google Docs. 

Getting started 

  • Admins: There is no admin control for this feature. 
  • End users: There is no end user setting for this feature. Visit the Help Center to learn more about adding items with the @ menu 

Rollout pace 


  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers 


Extended Stable Channel Update for Desktop

The Extended Stable channel has been updated to 94.0.4606.101 for Windows and Mac which will roll out over the coming days/weeks.

A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Srinivas Sista
Google Chrome

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 95 to the stable channel for Windows, Mac and LinuxThis will roll out over the coming days/weeks.

Chrome 95.0.4638.54 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 95.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 19 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$20000][1246631] High CVE-2021-37981 : Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-09-04

[$10000][1248661] High CVE-2021-37982 : Use after free in Incognito. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-11

[$10000][1249810] High CVE-2021-37983 : Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-09-15

[$7500][1253399] High CVE-2021-37984 : Heap buffer overflow in PDFium. Reported by Antti Levomäki, Joonas Pihlaja and Christian Jalio from Forcepoint on 2021-09-27

[$5000][1241860] High CVE-2021-37985 : Use after free in V8. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-20

[$6000][1242404] Medium CVE-2021-37986 : Heap buffer overflow in Settings. Reported by raven (@raid_akame)  on 2021-08-23

[$5000][1206928] Medium CVE-2021-37987 : Use after free in Network APIs. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-08

[$5000][1228248] Medium CVE-2021-37988 : Use after free in Profiles. Reported by raven (@raid_akame)  on 2021-07-12

[$2000][1233067] Medium CVE-2021-37989 : Inappropriate implementation in Blink. Reported by Matt Dyas, Ankur Sundara on 2021-07-26

[$N/A][1247395] Medium CVE-2021-37990 : Inappropriate implementation in WebView. Reported by Kareem Selim of CyShield on 2021-09-07

[$TBD][1250660] Medium CVE-2021-37991 : Race in V8. Reported by Samuel Groß of Google Project Zero on 2021-09-17

[$TBD][1253746] Medium CVE-2021-37992 : Out of bounds read in WebAudio. Reported by [email protected] Security Light-Year Lab on 2021-09-28

[$TBD][1255332] Medium CVE-2021-37993 : Use after free in PDF Accessibility. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-02

[$TBD][1243020] Medium CVE-2021-37996 : Insufficient validation of untrusted input in Downloads. Reported by Anonymous on 2021-08-24

[$3000][1100761] Low CVE-2021-37994 : Inappropriate implementation in iFrame Sandbox. Reported by David Erceg on 2020-06-30

[$1000][1242315] Low CVE-2021-37995 : Inappropriate implementation in WebApp Installer. Reported by Terence Eden on 2021-08-23

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:

  • [1261511] Various fixes from internal audits, fuzzing and other initiatives

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Prudhvikumar Bommana
Google Chrome

Chrome for iOS Update

Hi, everyone! We've just released Chrome 95 (95.0.4638.50) for iOS: it'll become available on App Store in the next few hours.

This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.

Harry Souders

Google Chrome

Personal meets powerful: Pixel 6 and Pixel 6 Pro are here

The wait is over: Pixel 6 and Pixel 6 Pro, the completely redesigned Google phones, are here. Powered by Google Tensor, Google’s first-ever processor, and shipping with Android 12, both phones are fast, smart, secure and designed to adapt to you. 

Pixel 6 is an outstanding all-around phone and it starts at only $799. If you want all the advanced capabilities and upgraded finishes, Pixel 6 Pro is the right phone for you, starting at $1,179. 

Powering the new Pixel lineup is Google Tensor, a mobile system on a chip designed specifically around Google’s industry-leading AI. Google Tensor enables entirely new capabilities for your smartphone, and makes Pixel 6 and 6 Pro more helpful and more personal. 

Distinct design 
Pixel has a bold new design this year with a cohesive look across the software on the inside and the hardware on the outside. The first thing you’ll notice is the Camera Bar, giving the phone a clean, symmetrical design that puts the camera front-and-center.
Pixel 6 has a distinctive graphic and vibrant look.. The matte black metal band complements the expressive, versatile colour options. Pixel 6 Pro was inspired by the finishes you see in luxury jewelry and watches. It’s made with a polished metal unibody and transitions into gorgeous curved glass in colors that complement the metallic frames. 

Speaking of color, Android 12 brings a full redesign to the OS, with Material You. 

Android 12 on Pixel 6 
Android 12 builds on the best features of Android so your phone can really be your phone: It can adapt to you, it’s secure by default and private by design. And Android 12 looks especially stunning on Pixel 6.
When you choose your wallpaper, your entire UI will update to reflect that choice. Everything will feel more responsive and smoother. At a Glance, which shows up on the home and lock screen, has a fresh new look and some new capabilities. Here, you’ll find what you need, right when you need it — like your boarding pass the day of your flight or stats from your current workout.

New Pixel, new camera 
Pixel 6 and Pixel 6 Pro have the most advanced cameras we’ve ever built. The entire camera experience is improved from the hardware to Pixel’s revolutionary computational photography. 

Both Pixel 6 and Pixel 6 Pro have a new 1/1.3 inch sensor on the back. This primary sensor now captures up to 150% more light (compared to Pixel 5’s camera), meaning you’re going to get photos and videos with even greater detail and richer colour. Both phones also have completely new ultrawide lenses with larger sensors, so photos look great when you want to fit more in your shot. 

Pixel 6 Pro also has an amazing telephoto lens with 4x optical zoom and up to 20x zoom with an improved version of Pixel’s Super Res Zoom. There’s also an upgraded ultrawide front camera that records 4K video. You can make use of that wider front camera in Snapchat’s new ultrawide selfie feature. Plus, for instant Snapchat access, the new Quick Tap to Snap feature is coming exclusively to Pixel 6 and 6 Pro later this year. 

Magic Eraser makes distractions in your photos disappear, just like that. With a few taps in Google Photos, remove strangers and unwanted objects.
Motion Mode features options like Action Pan and Long Exposure, which bring movement to your shots. You can use Action Pan to take photos of your kids riding their scooter or landing crazy skateboarding tricks against a stylish blurred background. Or create beautiful long exposure shots where your subject is moving, like waterfalls or vibrant city scenes.


Another significant advancement in photography across Pixel and Google Photos is Real Tone. Going back decades, cameras have been designed to photograph light skin — a bias that’s crept into many of our modern digital imaging products and algorithms. Our teams have been working directly with photographers, cinematographers and colorists who are celebrated for their beautiful and accurate imagery of communities of colour. We asked them to test our cameras and editing tools and provide honest feedback, which helped make our camera and auto enhancement features more equitable. 

Smarts and speech 
Pixel 6 and 6 Pro also have improved speech recognition and language understanding models, so it can make everyday tasks easier. For instance, you can now use your voice to quickly type, edit, and send messages with Assistant voice typing in Messages, Gmail and more. Let Google Assistant help with adding punctuation, making corrections, inserting emojis and sending your messages – hands-free. 

Finally, Live Translate enables you to message with people in different languages, including English, French, German, Italian and a beta version in Japanese. It works by detecting whether a message in your chat apps, like WhatsApp or Snap, is different from your language, and if so, automatically offers you a translation. All of this detection and processing happens entirely on-device within Private Compute Core, so no data ever leaves the device, and it works even without network connectivity. With support for Interpreter mode, you’ll also be able to take turns translating what is said in up to 48 languages. Activate Assistant and say “Be my interpreter.” 

One more thing: when you get an incoming call, just say “accept” or “decline” without having to use “Hey Google” every time by enabling Quick phrases. You can also “stop” and “snooze” alarms and timers! Get your hands on the new Pixel Pre-order Pixel 6 today, which starts at $799 and $1179 for the Pixel 6 Pro. You can preorder at gStore, Best Buy, Rogers, Telus, Glentel, Freedom and Amazon. The phones will be available on store shelves with all major Canadian carriers starting on October 28. We’re also launching a new collection of specially designed cases for Pixel 6, so you can protect your phone in style. 

However you buy it, and whichever Pixel 6 you pick, we know you are going to love your new phone.

Posted by Brian Rakowski, VP, Product Management

What’s next for YouTube, from Advertising Week New York

The pandemic accelerated two changes already underway — the move to streaming, and the move to ecommerce. As the number one streaming platform for ad-supported reach, YouTube is the place where hard-to-reach audiences come to be entertained and connect with creators and content they love. It’s also where audiences come to shop.

Today at Advertising Week New York, we’re sharing new ways to help marketers get ready for what’s coming next in streaming and commerce. We're also hosting a week-long live shopping event on YouTube starting November 15, featuring must-have holiday gifts from Samsung, Verizon and Walmart.

Inspire customers in real time with live shopping

The line between in-store and digital commerce has blurred, and shoppers are looking for inspiration and advice in new places. YouTube creators are at the forefront of this shift, sharing helpful, honest and entertaining shopping content that cuts through the noise. According to a study we ran in partnership with Publicis and TalkShoppe, 89% of viewers agree that YouTube creators give recommendations they can trust. As a result, people who shop on YouTube make faster, more confident purchase decisions — a win-win for both shoppers and brands.

Earlier this year, we started testing an integrated shopping experience that allows viewers to tap into the credibility and knowledge of trusted creators to make informed purchases on YouTube. We initially experimented with shoppable on-demand videos, and now we’re testing shoppable livestreams, too.

A shoppable livestream hosted by Simply Nailogical on a mobile phone

We recently partnered with several top YouTube creators to test our new live shopping features, including Simply Nailogical, who launchedher new nail polish collection to 2.8 million fans on herSimply Not Logical channel, andHyram, who droppedhis new ‘Selfless’ skincare line to 4.5 million fans.

We’ve also tested shoppable livestreams with leading retailers on their channels. Raven Elyse went live to sell her favorite home workout gear and morning routine essentials from Walmart, Sephora beauty directors hosted a live Q&A about makeup foundations, and Target performed a live style haul celebrating fall style.

“We think about YouTube as a connector to our customers — reaching people through inspiration, entertainment, and creativity," says William White, Chief Marketing Officer, Walmart. "At Walmart, we continue to innovate on behalf of the customer, and we are excited about our work together. Through our partnership with YouTube, we will continue to evolve how we link inspiration and commerce.”

Building on the success of these pilots, the YouTube Holiday Stream and Shop will kick off on November 15 with a week of shoppable livestreams. Fans tuning in will be able to score new products, unlock limited time offers, and get their product questions answered through live Q&A and polls with creators and other viewers. To start the week, the Merrell Twins will share their holiday wish list featuring products from Walmart, Samsung and Verizon. Stay tuned for more details as the holidays approach!

Reach more shoppers with connected TV

Last year, streaming households outnumbered cable TV households in the United States for the first time. And according to Comscore, 40% of all ad-supported streaming watch time is happening on YouTube.1

With 60% of YouTube CTV viewers watching with others2, people are connecting more deeply with each other by sharing YouTube content they love on the big screen. This means brands can easily extend the overall reach and impact of their campaigns. And as of this month, U.S. advertisers are able to fully measure their YouTube CTV video investments across YouTube and YouTube TV for an accurate view of true incremental reach and frequency in Comscore Campaign Ratings (CCR). Nielsen Digital Ad Ratings (DAR) CTV measurement is available for YouTube TV and will also be available soon for YouTube CTV in the U.S.

To make YouTube CTV ads more helpful for viewers and drive more online sales or leads for brands, we also recently upgraded Video action campaigns to automatically include CTV inventory. Learn more about how Video action campaigns on TV screens can help grow your business.

A lot has changed in the past year, but our commitment remains the same: we’re here to help your business grow and get ready for what comes next. To learn more about YouTube’s latest viewer insights and product innovations, watch our Advertising Week keynote.

1. Comscore, OTT Intelligence, Dec. 2020, U.S. (According to Comscore, YouTube represents 40% of watch time of all ad-supported streaming services analyzed)
2. Google/Talk Shoppe, United States, whyVideo 2021 study, n=2,000 A18-64 GenPop video users, Survey in field March 26th to April 4th, 2021. (According to Talk Shoppe, 60% of YouTube CTV viewers watch with other people)

An overview of our rater guidelines for Search

At Google, we like to say that Search is not a solved problem: We’re constantly making improvements (more than 4,800 last year alone). These changes can be big launches or small tune-ups, but they’re all designed to make Search work better for you, and to make sure you can find relevant, high quality information when you need it.

One of the key ways we determine if an improvement to Search works well is through the help of search quality raters. This group of more than 10,000 people all over the world work from a common set of search quality rater guidelines used to evaluate the quality of search results — which are publicly available. Today, we wanted to give you an idea of how these guidelines work, and how — just like Search itself — they improve over time.

What are the search quality rater guidelines?

The quality rater guidelines are more than 170 pages long, but if we have to boil it down to one phrase, we’d say they help make sure Search is returning relevant results from the most reliable sources available.

Information quality is at the heart of Search, and our systems fundamentally work to surface high-quality information. The rater guidelines help raters determine if a planned improvement is meeting that goal by providing a clear, uniform definition that all raters use to assess the results they see.

More specifically, high-quality information is content which demonstrates expertise, authoritativeness and trustworthiness on a topic, or E-A-T for short. For example, a health site with content from doctors and produced by a medical institution would have a high level of what many would consider to be expertise, authoritativeness and trustworthiness. The rater guidelines also define low-quality content on the web, such as content that spreads hate or seeks to deceive users.

Who uses the guidelines?

As we noted, the changes we make to Search are rigorously tested and evaluated by real people. Our search quality raters provide us with insights and evaluate pages against our guidelines to help make sure our systems — and proposed improvements — are working as intended.

What that looks like in practice is often a “side-by-side” test where a rater will look at two sets of Search results, one from the current version of Google and the other from an improvement we’re testing. Raters will review the pages in each set of results, and evaluate if the pages are a helpful match for the query based on our rater guidelines.

The ratings they provide don’t directly impact how a page or site appears in Search. Instead, they help us measure how well our systems are working to deliver great content.

How often are the rater guidelines updated?

Just like we make improvements to Search, we update the rater quality guidelines from time to time to make sure they’re working as intended.

Some changes are meant to tackle issues we’ve identified in Search, and may include expanded sections and new examples to help guide raters. For example, in 2017, we updated our guidelines to provide more detailed examples of low-quality web pages that included misleading information, unexpected offensive results, hoaxes or other content.

Sometimes, we identify concepts that are especially challenging for raters. We then make changes to the guidelines to improve ratings. In 2020, for instance, we provided new guidance on how to tell if a result from a dictionary or encyclopedia would be useful for a certain query.

Other changes focus on things like refreshing the language for clarity and updating organization. That’s what made up most of our October 2021 update, which included clarifications of what constitutes lowest quality content, and refreshed and modernized guidance on researching the reputation of websites.

We rigorously review, test and evaluate all changes to ensure they’re helpful and having the intended effect. And we have a publicly available log at the end of our guidelines describing in detail any changes we make. Ultimately, these updates are designed to make Search work better for you.

Protect your open source project from supply chain attacks

From executive orders to key signing parties, 2021 has been the year of supply chain security. If you’re an open source maintainer, learning about the attack surface of your project and the threat vectors throughout your project’s supply chain can feel overwhelming, maybe even insurmountable. The good news is that 2021 has also been the year of supply chain security solutions. While there’s still plenty of work to be done, and plenty of room for improvement in existing solutions, there are preventative controls you can apply to your project now to harden your supply chain and prevent compromise.

At All Things Open 2021, the audience learned about best practices for supply chain security through a quiz game. This blog post walks through the quiz questions, answers, and options for prevention, and can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks. These recommendations follow the SLSA framework and OpenSSF Scorecards rubric, and many can be implemented automatically by using the Allstar project.

An example of a typical software supply chain and examples of attacks that can occur at every link in the chain.
An example of a typical software supply chain and examples of attacks that can occur at every link in the chain.

Q1: What should you do to protect your developer accounts from takeover?
  1. ANSWER: Use multi-factor auth (with a security key if possible)
  2. Use a shared account for core maintainers
  3. Make sure to write all your passwords in rot13
  4. Use an IP allowlist
Why and how: A malicious actor with access to a developer account can pretend to be a known contributor and submit bad code. Encourage contributors to use multi-factor authentication (MFA) not only for platforms where they send commits, but also for accounts associated with contributions, such as email. Where possible, security keys are the recommended form of MFA.

Q2: What should you do to avoid merging malicious commits?
  1. ANSWER: Require all commits to be reviewed by someone who is not the commit author
  2. Auto-run tests on all commits
  3. Scan for the word ‘bitcoin’ in all commits
  4. Only accept commits from contributors who have accounts older than 1 year
Why and how: Self-merging (also known as a unilateral change) introduces two risks: 1) An attacker who has compromised a contributor’s account can inject malicious code directly into the project, or 2) A well-intentioned person can merge a commit that accidentally introduces a security risk. A second set of authenticated eyes can help avoid malicious submissions and accidental weaknesses. Set this up as an automated requirement if possible (such as using GitHub’s Branch Protection settings); tools like Allstar can help enforce this requirement. This corresponds to SLSA level 4.

Q3: How can you protect secrets used by your CI/CD pipeline?
  1. ANSWER: Use a secret manager tool
  2. Appoint a maintainer to control secrets access
  3. Store secrets as environment variables
  4. Store secrets in a separate repo
Why and how: The “defense in depth” security concept is about applying multiple, different layers of defense to protect systems and sensitive data, such as secrets*. A secret manager tool (like Secret Manager for GCP users, HashiCorp Vault, CyberArk Conjur, or Keywhiz) removes the need for hard-coding secrets in source code, provides centralization and audit capabilities, and introduces an authorization layer to prevent leaking secrets.

*When storing sensitive data in a CI system, ensure it is truly for CI/CD purposes, and not data that is better suited for a password or identity manager.

Q4: What should you do to protect your CI/CD system from abuse?
  1. ANSWER: Use access controls following the principle of least privilege
  2. Run integration tests on all pull requests/commits
  3. Mark all contributors as “Collaborators” through GitHub roles
  4. Run CI/CD systems locally
Why and how: Defaulting to “the least amount of access necessary” for your project repository protects your CI/CD system from both unintended access and abuse. While running tests is important, running tests on all commits/pull requests by default—before they’ve been reviewed—can lead to unintentional and malicious abuse of your CI/CD system’s compute resources.

Q5: What should you do to avoid compromise during build time?
  1. ANSWER: Define build definitions and configurations as code, eg build.yaml
  2. Make your builds run as quickly as possible so attackers have no time to compromise your code
  3. Only use LEGO brand components in your build system, accept no substitutes
  4. Delete build logs to avoid leaving clues for attackers
Why and how: Using a build script—a file that defines the build and its steps, like build.yaml—removes the need to manually run build steps, which could possibly introduce an accidental misconfiguration. It also reduces the opportunity for a malicious actor to tamper with the build or insert unreviewed changes. This corresponds to SLSA levels 1-4.

Q6: How should you evaluate dependencies before use?
  1. ANSWER: Assess risk and transitive changes with tools like Scorecards and
  2. Check for a little ‘lock’ icon next to the package url
  3. Only use dependencies that have a minimum of 1,000 GitHub stars
  4. Only use dependencies that have never changed maintainers
Why and how: There isn’t one definitive measure that can tell you a package is “good” or “bad;” every project has different security profiles and risk tolerances. Gathering information about a dependency, and what changes it might introduce transitively, will help you decide if a dependency is “safe” for your project. Tools like Open Source Insights ( map first layer and transitive dependencies, while Scorecards gives packages a score for multiple risk assessment metrics, including use of security policies, MFA, and branch protection.

Once you determine what dependencies you’re using, running a vulnerability scanning tool such as Open Source Vulnerabilities regularly will help you stay up to date on the latest releases and patches. Many vulnerability scanning tools can also apply automatic upgrades.

Q7: What should you do to ensure your build is the build you think it is (aka verification)?
  1. ANSWER: Use a build service that can generate authenticated provenance
  2. Check the last commit to be sure it’s from a trusted committer
  3. Use steganography to embed your project logo into the build
  4. Run conformance tests for each release
Why and how: Showing the origin and artifacts of a build (the build’s provenance) demonstrates to the user that the build has not been tampered with, and is the correct build. There are many components to provenance; one method to deliver these components is to use a build service that generates and authenticates the data needed to show provenance. This corresponds to SLSA levels 2-4.

Q8: What should you look for when selecting artifacts from a registry?
  1. ANSWER: That artifacts have been cryptographically and verifiably signed
  2. That artifacts are not cursed (through being stolen from tombs)
  3. Timestamps: only use the most recent artifact created
  4. Official endorsement: look for the logo of a trusted brand or standards body
Why and how: Just as you should generate provenance and sign builds for your projects (SLSA levels 2-4), you should also look for the same verification when using artifacts from others. Logos and other brand-based forms of endorsement can be falsified and are used by typosquatters to fake legitimacy; look for tamper-proof verification like signatures. For example, Sigstore helps OSS projects sign their builds, and validate the builds of others.

Improving your project’s security is a continuous journey. Some of these recommendations may not be feasible for your project today, but every step you can take to increase your project’s security is a step in the right direction.

Resources for open source project security:
  • SLSA: A framework for levels of supply chain security
  • Scorecards: A measurement of security best practices use
  • Allstar: A GitHub app for enforcing security best practices
  • Open Source Insights: A searchable visualization of open source project dependencies
  • OSV: A vulnerability database and automation infrastructure for open source
By Anne Bertucio, Google Open Source Programs Office