Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: Buildpack Registry #24

Closed
wants to merge 5 commits into from
Closed

RFC: Buildpack Registry #24

wants to merge 5 commits into from

Conversation

jkutner
Copy link
Member

@jkutner jkutner commented Sep 19, 2019
edited
Loading

@jkutner
First draft of buildpack registry rfc
d153b41 
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
@jkutner
revisions to buildpack regsitry
d938c95 
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
@jkutner
added search to bp registry rfc
719ec3d 
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
@jkutner
sign instead of encrypt in bp reg rfc
7f0bc7d 
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
@jkutner
Updated the token signing process for buildpack registry RFC
5aa2643 
Signed-off-by: Joe Kutner <jpkutner@gmail.com>
@jonjohnsonjr
Copy link

Have you looked at https://github.com/opencontainers/artifacts?

@jonjohnsonjr
Copy link

This is really interesting. I've love something like this to just front arbitrary registries with a vanity domain.

Aggregating across multiple registries is a cool idea, that could help with a lot of different problems. You could potentially use this to pull a buildpack/image by digest without having to specify a location cc @jchesterpivotal @dprotaso

  • How will we index buildpacks to facilitate searching?
  • How will we index buildpacks to facilitate fast resolution (w/o spamming the registry)?

It's essentially impossible to do this right now in a portable way, see opencontainers/distribution-spec#22

You should get involved in steve's efforts to define search requirements.

The registry will not store any secrets. It will only store a mapping of Buildpack Registry account to third-party account.

Somewhat related is signing artifacts.

Keeping in sync with the registries you're fronting will be tough. What happens if someone deletes a buildpack from the underlying registry?

I'll also reiterate that it's important to be careful in writing any software that assumes a central registry. A lot of problems were caused by a dockerhub default, e.g.:

  • Parsing references to images is hard (i.e. ambiguous) because omitting the registry defaults to dockerhub.
  • For a long time, it was impossible to set up a mirror for anything other than docker. Related.

@jkutner
Copy link
Member Author

jkutner commented Sep 27, 2019

@jonjohnsonjr thanks for taking a look! The signing stuff in particular is very interesting, and I'll read up on the search requirements.

The "keeping in sync" part is tricky, and I'll add that to Risks. I think deletion is the main concern (as opposed to pushing new tags in a repo w/o a corresponding buildpack).

With regard to it being a central registry, my hope is that it not. Heroku will run it's own instance (and may actually run several). I can image users wanting to run per-cluster instances of a buildpack registry too (to support private buildpacks).

@jonjohnsonjr
Copy link

Steve opened some issues for signing and search if you're interested in participating in those conversations:
opencontainers/distribution-spec#70
opencontainers/distribution-spec#71

wking
wking reviewed Dec 1, 2019
View reviewed changes
text/0000-buildpack-registry.md
1. Sign the token
1. Add the signed token to the buildpackage metadata.
1. Sign the token using the private key
1. Add the token signature to the buildpackage metadata.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With a temporary signing keypair and only the signature in the buildpackage, how does the consumer find and trust the public key they use to verify the signature?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, this is just about verifying the push to registry, not about end users verifying anything. The buildpack registry can just hold the public key in a local cache. Sorry for the noise.

@jkutner
Copy link
Member Author

jkutner commented Dec 12, 2019

closing in favor of #35

@jkutner jkutner closed this Dec 12, 2019
nebhale added a commit that referenced this pull request Jan 29, 2020
@nebhale
RFC #24
8ab66c1 
[resolves #45]

Signed-off-by: Ben Hale <bhale@pivotal.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wking wking wking left review comments

@ekcasey ekcasey Awaiting requested review from ekcasey

@hone hone Awaiting requested review from hone

@nebhale nebhale Awaiting requested review from nebhale

@sclevine sclevine Awaiting requested review from sclevine

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jkutner @jonjohnsonjr @wking