Skip to main content
Distribution hardening is the release practice of making public artifacts harder to tamper with, impersonate, or inspect casually without leaving the limits of what release evidence supports. It should be documented with evidence, not slogans.

Required Evidence For A Public Release

  • Artifact filename and version.
  • Artifact hash.
  • Manifest path.
  • Signature or verification mechanism when available.
  • Release channel.
  • Rollback path.
  • Hardening method summary.
  • Known limits.

Allowed Public Wording

Hardening can raise the cost of artifact inspection and tampering under verified limits.

Avoid

  • Promising that inspection is impossible.
  • Promising that artifact analysis cannot happen.
  • Describing hardening without artifact hashes.
  • Treating obfuscation as correctness evidence.

Release Artifact Review

A public release note should identify the artifact, version, hash, manifest, signature or verification mechanism when available, release channel, hardening evidence and known limits.