Skip to content

Design partner feedback: firmware release evidence workflow #2

Description

@tendervault

This issue is for structured design-partner feedback.

AssureLoop is an open-source release assurance workflow for embedded firmware. The current v0.3 hardware-alpha focuses on Zephyr + MCUboot and the ST NUCLEO-H563ZI board.

The goal is to understand whether this workflow matches real embedded release pain.

Current workflow:

  1. Build Zephyr firmware.
  2. Produce signed image artifacts.
  3. Generate SBOM files.
  4. Generate a release manifest.
  5. Package evidence into an evidence bundle.
  6. Verify evidence bundle contents and hashes.
  7. Create an update package.
  8. Verify update package payload, target, and version behavior.
  9. Validate MCUboot lifecycle behavior on hardware.

Questions for embedded teams:

  1. How do you currently prove what firmware was shipped?
  2. Do you generate SBOMs for firmware releases?
  3. Do you have a release manifest or artifact hash record today?
  4. How do you verify update packages before deployment?
  5. Who inside your organization cares about firmware release evidence?
  6. What compliance, customer-security, or audit requirements affect your firmware releases?
  7. Would AssureLoop fit beside your existing build/release process?
  8. What board, RTOS, or release artifact support would matter most?
  9. What would make AssureLoop too difficult to adopt?
  10. What is missing from the current v0.3 workflow?

This is not a sales thread. The goal is to learn what real teams need before expanding the project.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions