Michał Kowalczyk

Yup, we'll definitely keep it open as we plan to introduce reproducible builds at some point ;)

Jenkins, test this please

One more issue: I don't like that this makes _all_ app's attempts to mmap shared memory go into untrusted memory, this makes it almost impossible to use securely (because you'll...

> We should do whatever is convenient for gsc. As long as GSC compiles from source, I think it should be `/usr/bin/python3` (as the PR does). Why not an option...

> I don't think we can do it only on "some" images, at least I don't want to maintain a heurestics for detecting "weird" Docker images. We'll do it for...

Does it work if you use absolute path to access it?

@dimakuv: One problem which makes this harder than just creating a "generate MRENCLAVE" is that MRENCLAVE is not enough. Remember the security issue which a lot of frameworks had some...

Instead of nonces I'd just require the application to sign the add-key request with the mrsigner key. This way only the owner of mrsigner key could modify the corresponding entries...

@Villain88: Nope, it's not implemented yet (you can see that this issue is still open ;) ).

@debin-yang This issue is only to aggregate general issues with Graphene which block it from being used in production for all purposes, not just specific workloads.