[Question]: can we use "rekor.tlog.dev" address as a value of the annotation "chains.tekton.dev/transparency"?

[developer-guy]

Feature request

In the meantime, Tekton Chains adds a transparency log server API URL which is "rekor.sigstore.dev"_ to the annotation "chains.tekton.dev/transparency" ^1 but the Chainguard team developed a UI project for Rekor called rekor-search-ui, so, I thought that should be a better experience for the end-users to change this URL with the UI one?

rekor.sigstore.dev => rekor.tlog.dev

[priyawadhwa]

Interesting idea! Personally I prefer the rekor.sigstore.dev URL so that people can easily know which tlog the entry is in.

[developer-guy]

I prefer the rekor.sigstore.dev URL so that people can easily know which tlog the entry is in.

Yeah, that makes sense to me either, but from the end-user perspective, when they display the details of the TaskRun, IMHO, it'd be better to see the UI link (https://rekor.tlog.dev/?logIndex=735223) instead of the API link because UI's are a super cool feature for the end-users 🙈

[developer-guy]

any other thoughts?

[imjasonh]

rekor.tlog.dev has no SLO and may be down or deleted at any time without warning.

The rekor.sigstore.dev annotation key is named like a URL not because it should be resolved in a browser, but just to namespace it.

The HTML served at rekor.sigstore.dev can presumably also go away at any time.

I recommend against using tlog.dev for this.

[wlynch]

+1 to Jason / Priya w.r.t. the existing value.

If we really want this maybe we could put this in a separate configurable annotation? 🤔

[developer-guy]

If we really want this maybe we could put this in a separate configurable annotation? 🤔

This would be great if we could! I'm so thrilled to do that 🙈

[tekton-robot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten with a justification. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen with a justification. Mark the issue as fresh with /remove-lifecycle rotten with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen with a justification. Mark the issue as fresh with /remove-lifecycle rotten with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[developer-guy]

based on the recent news that Chainguard contributes Rekor Search UI project to Sigstore, we might reconsider using this address in one of the Tekton Chains annotations about the transparency log server. WDYT @wlynch @imjasonh?

This site is now served under: https://search.sigstore.dev

➡️ https://www.chainguard.dev/unchained/chainguard-contributes-rekor-search-project-to-sigstore