-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd: dockerfile resolve #1120
cmd: dockerfile resolve #1120
Conversation
5c7a1ee
to
32367c2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit.
888beff
to
bbca50f
Compare
Kindly ping folks. It seems everything is ok right now, which means it is ready to merge. 🙋🏻♂️ |
Will take a look! |
d23b000
to
2e73eb8
Compare
Sorry, we dropped the ball here. I think we resolved all reviews. |
Kind ping here for review 🤗 |
ca84780
to
6b1404f
Compare
Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Furkan <furkan.turkal@trendyol.com>
fa28561
to
e3bb571
Compare
This is great work - but I am wondering whether it makes sense to have functionality like this directly within cosign. Sure it's helpful, but the art of ensuring that pinning images to digest may be better sitting in a different tool (e.g. https://github.com/sethvargo/ratchet), and kind of spans way further than just Dockerfiles. @dlorenc @Dentrax @mattmoor @imjasonh what are your thoughts on this? Also adding @znewman01 as he has been considering the digest pinning scenario in #2313 |
I would normally agree—this sounds a little "kitchen sink-y" to me. But I think if we have IMO reason this wouldn't go in another tool like Ratchet would be the separation in the tooling between "resolve" and "verify." It'd be way too easy to "resolve" with Ratchet and wind up with image digests that are untrusted. TBH my ideal flow would be one-step, checking signatures as part of resolving: |
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
This PR was closed because it has been stalled for 10 days with no activity. |
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
Fixes sigstore#648 Fixes sigstore#707 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
…n into feature/dockerfile-resolve
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Add a support to resolve |
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
Thanks! Looking again at #648 I see that it proposes that the I think we probably want to make this do all the verification of |
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
This PR was closed because it has been stalled for 10 days with no activity. |
Fixes #648
Fixes #707
Signed-off-by: Furkan furkan.turkal@trendyol.com
Co-authored-by: Batuhan batuhan.apaydin@trendyol.com
cc @developer-guy