If you discover a security vulnerability within this project, please send an e-mail to tiago.peczenyj+cpan@gmail.com.

All security vulnerabilities will be promptly addressed. We request that you do not report security-related issues through public GitHub issues.

This project meets SLSA Build Level 2. Every release produces signed build provenance — a document describing how each artifact was built — generated by the Release GitHub Actions workflow running on GitHub-hosted runners and stored in GitHub's attestation store. The provenance is signed via Sigstore (keyless OIDC) with an identity bound to the release workflow, so consumers can confirm it is authentic. A hosted build platform and signed, authentic provenance are what distinguish Build Level 2 from Level 1.

Provenance is generated for both published artifacts:

• the CPAN distribution tarball (GDPR-IAB-TCFv2-*.tar.gz), and
• the Docker image (docker.io/peczenyj/GDPR-IAB-TCFv2).

With the GitHub CLI installed, you can verify that an artifact was built by this repository's release workflow:

# CPAN distribution tarball (downloaded from the GitHub Release)
gh attestation verify GDPR-IAB-TCFv2-X.Y.tar.gz --repo peczenyj/GDPR-IAB-TCFv2

# Docker image
gh attestation verify oci://docker.io/peczenyj/GDPR-IAB-TCFv2:vX.Y --repo peczenyj/GDPR-IAB-TCFv2

Replace X.Y with the release version.