-
Notifications
You must be signed in to change notification settings - Fork 509
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discuss further revisions to CI/CD privacy notice #2800
Comments
I think my preference here is to make opt-in explicit with a unique That said, it's a little user-hostile so I'd be happier if we introduce a local Cosign state first so you could accept the terms permanently. |
Chatted with Zack about this, summary of a few ideas from the chat:
Shouldn't have to worry about deprecations for any of these changes. We'll alias |
Hi, I'm a bit confused by the specification of |
We chatted about that too, probably need a different name. The goal is some flag that bypasses all prompts |
Thanks for mentioning that, @favonia. Yeah, I think the goal here is:
We probably need to bikeshed a little (e.g., we should replace rather than rename --yes) but I think the core ideas are right. |
Suggestion: can we put the ToS on https://oauth2.sigstore.dev/auth/device so that we can log in AND agree with the ToS at the same time? |
I think that's a great idea, but there's a catch: the OAuth URL doesn't capture all of the flows that might result in something being uploaded to a transparency log (there's Rekor and also ambient-credential-based OAuth flows). I'd also be worried that it'd be easy to miss. |
Description
From conversation with @haydentherapper, as a follow-on to #2796 / #2797, this is a longer-term placeholder to follow up on whether to further revise / expand the privacy statement notice as relates to CI/CD usage.
May also want to consider whether to clarify usage of flags (e.g.
--yes
) in connection with non-interactive usage.The text was updated successfully, but these errors were encountered: