docs: eliminate false-capability claims + v1.0.12#29
Merged
Conversation
Follow-up audit for the "documents a capability that doesn't work" class (prompted by the managed-DBaaS claims). Beyond the DBaaS fixes already on main, corrected: - internal/audit/transparency.go: the TransparencyLog comment claimed a rekor.Log implementation ships; only self-hosted StorageBackedLog exists — external Rekor is post-v1.0 roadmap. Reworded to "planned". - docs/compliance/pci-dss.md: the QSA evidence-bundle runbook told auditors to verify an image-level SLSA attestation that isn't produced (image unpublished; image SLSA is roadmap). Added the caveat + a working blob/tarball slsa-verifier alternative. - docs/reference/build-flavours.md: dropped the "official pg-hardstorage-fips distribution artifact ... out of the box" framing (no such artifact ships) → build-from-source + planned note. - SPEC.md: Scoop and -fips/-pg-ext container image variants were listed as shipped; marked planned/gated. Audit confirmed the managed-DBaaS class is fully eliminated (every RDS/Aurora/Cloud SQL/Azure/Neon/Supabase mention is now a negation; self-hosted/self-managed remains the only supported target). Release prep: CHANGELOG 1.0.12 and doc version examples bumped.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to the managed-DBaaS fix (already on main): an audit for the whole "documents a capability that doesn't actually work" class, plus the v1.0.12 release.
Confirmed & fixed (this PR)
internal/audit/transparency.go): comment claimed arekor.Logimplementation ships — it doesn't exist; only self-hostedStorageBackedLogdoes. Now "planned, post-v1.0".docs/compliance/pci-dss.md): instructed a QSA to verify an image-level SLSA attestation that isn't produced (image unpublished; image SLSA is roadmap). Added the caveat + a working blob/tarballslsa-verifieralternative.docs/reference/build-flavours.md): "official pg-hardstorage-fips distribution artifact … out of the box" — no such artifact ships. Reworded to build-from-source + planned note.-fips/-pg-extimage variants listed as shipped → planned/gated.Already on main (619a19d)
Managed DBaaS (RDS/Aurora/Cloud SQL/Azure/Neon/Supabase) false-support claims in the LLM README, SPEC, and sidecar chart — corrected to self-managed-only. This PR also fixes
SPEC.md:97(START_REPLICATION"works on managed PostgreSQL").Audit result
The managed-DBaaS class is fully eliminated — every mention is now a negation; self-hosted/self-managed is the only supported target. Verified-accurate claims (Windows hedging, CNPG-I roadmap, compat shims build-from-source, Helm OCI unpublished, logical-decoding pgoutput on managed PG) were left untouched.
No behaviour change;
go build ./...clean. CHANGELOG + doc versions bumped to 1.0.12.