undefined | Better HN

0 pointsforty3y ago0 comments

By default container images are not signed (there is notary, but it's not commonly used - maybe notary V2 will change that - and I think the signature changes depending on the registry it's hosted on anyway?) which make it inconvenient to mirror.

Now, why are we still producing new package formats without mandatory signatures (containers, npm, cargo, etc) is not really clear to me. I guess everyone must think "those old crazy Unix folks signing their Deb and Rpm must have had their crazy reasons, but we have no reason to do the same" :) a more cynical thinking would say "it makes it inconvenient to mirror things and easier to build a business from the central repository" :)

0 comments

afiori3y ago

I believe that adding key handling as a necessary step for npm, docker, and similar registries isn't a good idea.

But it would be easy to sign all packages: if the author has decided not to use signatures the registry adds it's own signature, at any moment the author can choose to start using their own keys in place of the registrie's

nijave3y ago

The layers have checksums so couldn't you store the metadata centrally and mirror the checksummed blobs?

fortyOP3y ago

What is rate limited on docker hub is fetching the image manifest, rather than the blobs, so that wouldn't work I think.

https://docs.docker.com/docker-hub/download-rate-limit/#defi...

slim3y ago

There's also the conspiracy : "it's the CIA who infiltrated docker to get access on every server in the world" ;)

sam_lowry_3y ago

This is a quite reasonable attack vector for US cyber-offense.

j / k navigate · click thread line to collapse