You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Collect user data to validate assumptions and inform decision-making
Find out who is using our tools
Related user stories
As a downstream consumer of K8s releases, I would like to be able to check the integrity of binaries, container images, documents, and other files that form a K8s release, so that I can trust that the release is secure.
As a downstream consumer of K8s releases, I would like my releases to comply with SLSA 3, so that I can be maximally confident that my release hasn’t been tampered with. (See also KEP #3027)
Hyperscalers, products on top of K8s. The notion of trust doesn't apply to them? They don't need K8s to be SLSA 3-compliant. They pull the source code to build something themselves. People trusting us build custom installers (KubeSpray, for example), end users building K8s envs because they don't have a choice, sovereign cloud.
How people use the images
What they expect to have in the images
Tasks
Ask CNCF users tag for ideas on data collection/surveys
Seek data on who is using our tools
Develop mechanism to collect regular feedback
Ask Cluster Lifecycle for their data
Involve SIG Contribex Comms/K8s mailing list
Maybe Brandon Mitchell should be involved. He led the OCI initiatives including standard, security, artifacts https://github.com/sudo-bmitch
