-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Buildpack Registry #24
Conversation
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
b580b02
to
5aa2643
Compare
Have you looked at https://github.com/opencontainers/artifacts? |
This is really interesting. I've love something like this to just front arbitrary registries with a vanity domain. Aggregating across multiple registries is a cool idea, that could help with a lot of different problems. You could potentially use this to pull a buildpack/image by digest without having to specify a location cc @jchesterpivotal @dprotaso
It's essentially impossible to do this right now in a portable way, see opencontainers/distribution-spec#22 You should get involved in steve's efforts to define search requirements.
Somewhat related is signing artifacts. Keeping in sync with the registries you're fronting will be tough. What happens if someone deletes a buildpack from the underlying registry? I'll also reiterate that it's important to be careful in writing any software that assumes a central registry. A lot of problems were caused by a dockerhub default, e.g.:
|
@jonjohnsonjr thanks for taking a look! The signing stuff in particular is very interesting, and I'll read up on the search requirements. The "keeping in sync" part is tricky, and I'll add that to Risks. I think deletion is the main concern (as opposed to pushing new tags in a repo w/o a corresponding buildpack). With regard to it being a central registry, my hope is that it not. Heroku will run it's own instance (and may actually run several). I can image users wanting to run per-cluster instances of a buildpack registry too (to support private buildpacks). |
Steve opened some issues for signing and search if you're interested in participating in those conversations: |
1. Sign the token | ||
1. Add the signed token to the buildpackage metadata. | ||
1. Sign the token using the private key | ||
1. Add the token signature to the buildpackage metadata. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With a temporary signing keypair and only the signature in the buildpackage, how does the consumer find and trust the public key they use to verify the signature?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, this is just about verifying the push to registry, not about end users verifying anything. The buildpack registry can just hold the public key in a local cache. Sorry for the noise.
closing in favor of #35 |
Readable