-
Notifications
You must be signed in to change notification settings - Fork 544
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move the transparency log feature out of experimental #116
Comments
Some things I want to figure out first: How should this be configured? Opt in vs. opt out?Proposal: Upload send by default for public images (where we can tell), but opt-in for private images. How should verification be configured?Is it a failure to verify if the signature is not present? Proposal: Check by default for a public image., but warn if the signature is not present, but still pass. Opt-in check for private images. If the opt-in flag is passed for public or private, fail if the signature is not present. |
I think we're close here with offline bundling. We'll still want to be careful about adding entries to the log, but verification can happen if there's a bundle, whether or not we're in experimental. |
@dlorenc is this issue still valid or should we close it out? It was added to the GA plan (unclear as to why), so I wanted to verify before taking it off the plan of record. |
So this basically means that we will remove the "experimental" env var requirement from cosign once Rekor/Fulcio are stable. Think it makes sense as a GA requirement since GA assumes the services are reliable not experimental. |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
sgtm, will close! |
…at-v2.2 Update RHTAP references (redhat-v2.2)
No description provided.
The text was updated successfully, but these errors were encountered: