Skip to content

Spike: Evaluate how to split validating data from validating signatures #1129

New issue
New issue
Open
Open
Spike: Evaluate how to split validating data from validating signatures#1129
Assignees
upodroid
Labels
lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.
@lasomethingsomething

Description

@lasomethingsomething
lasomethingsomething
opened on Dec 8, 2023

Objective

  • Support the goal of breaking up the image promoter monolith by closely examining the code and describing how we could pursue a more modular design

Steps

  • Present a 1-2 page proposal describing the necessary implementation steps and listing pros/cons/tradeoffs. Shouldn't be technical.
    - [ ] Core Problem to be Solved: What should an image have for it to be a candidate for a promotion?
    - [ ] Build provenance attached (signed or unsigned TBD)
    - [ ] Images will have to go through a CVE scanner and certain classes are unacceptable for promotions (examining what "certain classes might be" -- will require SIG Security's involvement)
    - [ ] SBOMs: Do we recommend an SBOM during the promotion process, or not?
  • Define the requirement using collected input from SIG Testing, K8s-Infra, Security would be very valuable
  • Seek input from SIG members and achieve buy-in so the group can reach consensus and move forward

Context and things to think about while working on this task

  • Work is partly dependent upon other research and decisions (see project board)

Image

Image

Metadata

Metadata

Assignees

Labels

lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.

Type

No type

Projects

SIG Release - Make Artifact Validation More Robust

Status

Todo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions