Comments (8)
Related:
from hub.
@davidham You raise some great points. I'll try to tackle some of them
First, you can see what the chart will do. If you use the helm pull
command (helm fetch
in Helm v2) you can pull the package locally, unpack it, and inspect the contents. The files are gzipped tarballs so you can un-archive them without even needing Helm. If you are concerned please take a look at the contents and inspect the images they are using.
Second, trust can be difficult to work out. Who do you trust and how does one gain or loose trust with you. Helm has provenance/signing but you need to trust the source prior following that. And, many people don't sign charts.
This makes me wonder, what elements would you want to see other than the source repo that would help you with trust?
Unfortunately, we cannot enforce the repository location as some many have their source for their charts in private repositories and the packaged contents being public. That is currently allowed. Going back on that would cause issues.
Figuring out trust is an interesting problem, to me, and I would like to help people see more information that would help them decide on trust. Your opinion is valuable here.
from hub.
Hi Matt, thank you for your reply.
As a newcomer to Helm about a year ago, I trusted the charts repo because a) it was owned by the Helm org, which was an Official Thing, a CNCF project and recommended by the Helm docs, and b) to be honest, I didn't know any better. But it has worked out so far, for the following reasons:
- I can browse the chart before I install it, so I can see what it installs and what config options it exposes. Doing
helm pull
and unzipping and browsing is not a substitute for this. - The chart repo is public, so I have confidence that what I see is what gets installed.
- Because the chart repos are public, people in the community can submit issues and PRs against them. These issues and PRs are super valuable in Google searches when I have problems.
I think the biggest things that affect trust for me are ownership and transparency. For schema-registry, I ended up creating my own deployment bundle for it based on the confluentinc
Docker image. And I trusted that because the Docker image repo is owned by Confluent, it's their software.
I didn't feel I could trust the Helm chart for it because I couldn't determine the relationship, if any, between the chart maintainer and the underlying software. I intend no criticism whatsoever of the maintainer or the chart I found in stable
, which seems actually super useful and well-written. But the new Helm Hub doesn't show the source of the chart, and that coupled with the uncertain provenance made it not a good solution for us.
So, I would trust Helm Hub more if:
- Charts were in public repos owned by the maintainers of the software, or by someone they have designated. If it's a chart for Confluent software, I want to know that Confluent blessed it.
- Helm Hub required a link to this repo for every chart listing
- The chart artifact had a checksum or signature I can verify after I
pull
it.
I'm curious about why maintainers would want to keep the chart repo private but the build artifacts public.
Without these things, however, I don't feel I can trust Helm Hub enough to use it to install software my company depends on.
from hub.
I'm curious about why maintainers would want to keep the chart repo private but the build artifacts public.
I think a majority of the time the charts are public but they are not providing a link to the repo in the Chart.yaml
. I found a similar thing happening with containers on Docker Hub. Sometimes they have a link to the repo used to generate them and sometimes they do not but it exists.
I think the next step is to encourage including the repo information. It would be nice to encourage people to include it on their container images, too. On numerous occasions I've audited the the used to create a container image.
I would trust Helm Hub more if
Might I suggest you don't trust all the charts in the hub just because it's run by the Helm project. It's a distributed chart search. All the charts come from 3rd parties. Trust a 3rd party instead of trusting the hub.
Do you trust all the images on Docker Hub? Or, do you trust certain organizations who maintainer their images there? The same idea applies here.
The Hubs provided by the CNCF can do a better job of presenting metadata to help people decided who and which charts they will trust.
The chart artifact had a checksum or signature I can verify after I pull it.
Helm can do this to some extent if the provenance was created for the package and put in the repo. We need to do some work to make this more widely used.
from hub.
Might I suggest you don't trust all the charts in the hub just because it's run by the Helm project. It's a distributed chart search. All the charts come from 3rd parties. Trust a 3rd party instead of trusting the hub.
I get this, but how do I know whom to trust, based on a chart page on the Helm Hub? This is why I think requiring a link to the chart's repo would help; it would show who owns the repo. If I find a chart like schema-registry, I want to know if the chart maintainer has any relationship to the underlying software.
from hub.
how do I know whom to trust, based on a chart page on the Helm Hub?
I think this is a great question. And, it does not have a single answer. Different people and organizations are going to have different rules. There are some who take every upstream asset, pull it into a staging area, analyze it, if it passes it's promoted into use. They don't trust upstream. They verify everything. There are some who will just use what ever and not look at it. Then there are those at multiple points in between.
There are situations where someone might trust someone without having access to the source. For example, let's say a consumer has a contract with the provider for support. There is a financial and legal obligation. Some would trust that and others wouldn't.
There's no one right way. We can encourage the source but we aren't going to require it.
from hub.
A link to the chart source is really needed - its annoying to find a chart in the hub, and then have to go to google to find the source - its generally easier/quicker to look at the source on github than to download/extract/open in editor the tar
from hub.
The Helm Hub is now deprecated so this issue is overcome by events. Closing.
from hub.
Related Issues (20)
- Add CI to check for name length issues HOT 2
- READMEs getting 404 on Helm Hub HOT 6
- Cluster autoscaler version 1.15 and 1.16 stable charts are missing HOT 1
- Provide hub.helm.sh repository information for dependencies
- [CSS] Search results appear underneath upper fold HOT 2
- Redirection mechanism or warning message for deprecated charts HOT 1
- feat: expand hub support to helm plugins HOT 2
- feat: add example filters to homepage HOT 2
- cert-manager: removing and preventing 'alternate' versions of Helm charts HOT 8
- Some pages of Charts in hub.helm.sh don't load their README content HOT 3
- Hub is not loading one of my charts HOT 2
- Charts in stable repo not available due to duplicate stable repo name in repos.yaml HOT 3
- Where is docker registry? HOT 6
- Longhorn Chart README page is loading indifinitely HOT 2
- Migration to Artifact Hub HOT 11
- Install panel "copy" doesn't work with Helm 3 and it picks "beta" chart. HOT 1
- Helm chart description links doesn't work HOT 2
- Helm Hub fails to load due to 503 errors HOT 2
- Redirection issue from hub.helm to artifacthub HOT 2
- Handover of external-secrets HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hub.