asraa
asraa
Currently, I have it with the same key. Whether or not the fulcio instance is present would just change your trust model (would you be able to trust rekor's signed...
@sigstore/rekor-codeowners do we want to bump to 1.19? I remember some old conversations around bumping to 1.18, but we should uniformly do this across sigstore projects.
Hi @dibrinsofor! Definitely take a first stab! I would highly recommend making changes incremental, since the smaller the change the faster it will be for me to review. You can...
> Is this only related to the docker nightly images or also to the Tensorflow nightly wheels built with these images? This would just be the docker nightly images. Right...
> since it may be verified by a binary / library that does not need to be specialised to parse Wasm modules at all, and may be reused for validating...
Thanks @developer-guy ! It looks like it is similar to @afzal442 proposal, but we already have these written out of the box Also, to help reliability, it is easy (see...
I may have backtracked on my understanding of this, but shouldn't a valid snapshot be pinning these files with their hashes anyway and prevent collisions/incorrect fetches?
I also ran into this problem building Abseil from HEAD and using clang-12
Thanks! Just to reiterate: as of right now these policies *should* be passing on envoy repos, so there shouldn't be any noise. It will alert on changes.
friendly ping @snowp?