Docker image "verification"

Posted Jan 8, 2015 3:00 UTC (Thu) by thoughtpolice (subscriber, #87455)
Parent article: Docker image "verification"

For the Haskell package distribution system, http://hackage.haskell.org, I've been working on rolling out cryptographic signing for packages (as part of a contract through my employer). While we initially just planned to do a very simple approach of signing, The Update Framework is a great piece of work that I'm glad I found, and it covers a lot of ground with a nicely defined threat model.

Has any other package update framework fully implemented what's been described by TUF, or anything like it? AFAIK, most (packaging) systems either punt the problem to TLS or just implement basic signing without any defined threat model against things like rollback attacks, etc. I know they've secured the Python package framework, but I don't think this is actually how the official PyPI etc work today, is it?

Docker image "verification"

Posted Jan 11, 2015 11:47 UTC (Sun) by mgedmin (subscriber, #34497) [Link]

PyPI currently relies on TLS, but people are working on adopting TUF.

Docker image "verification"

Posted Jan 14, 2015 7:44 UTC (Wed) by kleptog (subscriber, #1183) [Link]

Thanks for bringing attention to this project, it's really quite cool. They've looked at the existing systems, fixed the issues, file formats and terminology and actually written it out in an easy to read document. And then written the code to implement it. Awesome!