Move the transparency log feature out of experimental #116
Comments
|
Some things I want to figure out first: How should this be configured? Opt in vs. opt out?Proposal: Upload send by default for public images (where we can tell), but opt-in for private images. How should verification be configured?Is it a failure to verify if the signature is not present? Proposal: Check by default for a public image., but warn if the signature is not present, but still pass. Opt-in check for private images. If the opt-in flag is passed for public or private, fail if the signature is not present. |
|
I think we're close here with offline bundling. We'll still want to be careful about adding entries to the log, but verification can happen if there's a bundle, whether or not we're in experimental. |
|
@dlorenc is this issue still valid or should we close it out? It was added to the GA plan (unclear as to why), so I wanted to verify before taking it off the plan of record. |
|
So this basically means that we will remove the "experimental" env var requirement from cosign once Rekor/Fulcio are stable. Think it makes sense as a GA requirement since GA assumes the services are reliable not experimental. |
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
sgtm, will close! |
…at-v2.2 Update RHTAP references (redhat-v2.2)
No description provided.
The text was updated successfully, but these errors were encountered: