You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to raise an important security concern regarding two critical tools used in firmware build pipelines:
SimplicityCommander-Linux.zip
slc_cli_linux.zip
Currently, these tools are only available as unversioned downloads that always provide the latest release. This creates several security and reproducibility issues:
No way to pin specific versions in build pipelines
Unable to implement proper integrity checking of downloaded tools
Cannot verify authenticity of the toolchain components
Impossible to achieve reproducible builds due to potentially different tool versions
Provide versioned releases of both tools (e.g., slc_cli_linux_v1.2.3.zip)
Include cryptographic signatures or checksums for package verification
Maintain an archive of previous versions for backwards compatibility
These changes would significantly improve the security posture of projects using SiLabs tools by enabling:
Reproducible builds
Supply chain security through package verification
Controlled tool upgrades in production environments
We hope this can be prioritized as it impacts the security of the entire SiLabs ecosystem. Many organizations are moving towards more stringent supply chain security requirements, and having verifiable, versioned tooling is becoming increasingly critical.
Thank you for considering this security enhancement request.
The text was updated successfully, but these errors were encountered:
Hello,
I would like to raise an important security concern regarding two critical tools used in firmware build pipelines:
SimplicityCommander-Linux.zipslc_cli_linux.zipCurrently, these tools are only available as unversioned downloads that always provide the latest release. This creates several security and reproducibility issues:
This issue has been previously raised in the SiLabs Community (see: https://community.silabs.com/s/question/0D58Y00008rSY1pSAG/slc-cli-access-to-released-versions) but remains unaddressed.
Suggested improvements
slc_cli_linux_v1.2.3.zip)These changes would significantly improve the security posture of projects using SiLabs tools by enabling:
We hope this can be prioritized as it impacts the security of the entire SiLabs ecosystem. Many organizations are moving towards more stringent supply chain security requirements, and having verifiable, versioned tooling is becoming increasingly critical.
Thank you for considering this security enhancement request.
The text was updated successfully, but these errors were encountered: