Consider using TUF for update checks and downloading the ISO/localkube binaries #508
Comments
dlorenc
added
the
kind/feature
|
SGTM. This would be a lot better and more secure than trying to roll our own. What are the key differences between flynn/go-tuf and docker/notary? Seems like they are both go implementations of TUF. |
|
cc @ecordell |
|
Notary is actually a fork of go-tuf that implements more of the TUF spec and adds a few things on top of it (db storage support and a server/signer/client split) to support a production deployment. The In my opinion: If the plan is for maintainers to be very hands-on with the TUF metadata, go-tuf is a fine choice because it gives you a simple tool to modify a set of TUF metadata files, which you can then host statically and clients can pull and verify. TUF is designed with this simple case in mind, and a cron job or something can update the timestamp metadata (which would be the only online key in the simple case). If you instead need to support multiple users modifying metadata, coordinating signing, etc, I think notary is a better choice. |
|
Issues go stale after 30d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
If this is a FEATURE REQUEST, please:
See details here: https://theupdateframework.github.io/
There's a Go library here: https://github.com/flynn/go-tuf
The text was updated successfully, but these errors were encountered: