Document transitive allowlisting limitations #1328
Labels
docs
Documentation-related issues
Comments
|
Related: #1327 See this comment for more details related specifically to the Go toolchain's More broadly this would also apply to things like |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Transitive allowlisting is a powerful feature to allow developers to live in LOCKDOWN mode. However there are certain limitations in the current implementation that developers need to be aware of to ensure the feature can work properly.
This largely means that Santa must be given a (brief) opportunity to create a transitive rule before any resultant binary is executed.
Solving this completely is likely not desirable. It would require a large amount of synchronization between Santa's event stream processing compiler operations and the event stream responsible for authorizing execs. This would require a lot of contention that would likely degrade build performance in unacceptable ways.
The text was updated successfully, but these errors were encountered: