INGInious icon indicating copy to clipboard operation
INGInious copied to clipboard

Published 20 hours ago verified publisher icon UCL-INGI

Trusted container images

Open nrybowski opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Please describe. With DockerHub not supporting free hosting for Open Source projects anymore, we are more and more exposed to namespace spoofing.

Describe the solution you'd like The environment containers and other project's artifacts should be signed somehow. The INGInious frontend should let administrators load developer certificates, then the pulled containers should be verified against those authorized certificates. If the verification fails, the URL could be added to some kind of block-list to avoid further useless pulls.

Describe alternatives you've considered Use decentralized package networks such as https://pyrsia.io/.

Additional context The existing solutions for trusted software package distribution should be explored.

nrybowski avatar Mar 17 '23 07:03 nrybowski

Related project https://github.com/sigstore/cosign-installer

nrybowski avatar Dec 06 '23 17:12 nrybowski