[feature request] Require link to public repo for the chart about hub HOT 8 CLOSED

Related:

• #6
• #41
• #42

from hub.

@davidham You raise some great points. I'll try to tackle some of them

First, you can see what the chart will do. If you use the helm pull command (helm fetch in Helm v2) you can pull the package locally, unpack it, and inspect the contents. The files are gzipped tarballs so you can un-archive them without even needing Helm. If you are concerned please take a look at the contents and inspect the images they are using.

Second, trust can be difficult to work out. Who do you trust and how does one gain or loose trust with you. Helm has provenance/signing but you need to trust the source prior following that. And, many people don't sign charts.

This makes me wonder, what elements would you want to see other than the source repo that would help you with trust?

Unfortunately, we cannot enforce the repository location as some many have their source for their charts in private repositories and the packaged contents being public. That is currently allowed. Going back on that would cause issues.

Figuring out trust is an interesting problem, to me, and I would like to help people see more information that would help them decide on trust. Your opinion is valuable here.

from hub.

Hi Matt, thank you for your reply.

As a newcomer to Helm about a year ago, I trusted the charts repo because a) it was owned by the Helm org, which was an Official Thing, a CNCF project and recommended by the Helm docs, and b) to be honest, I didn't know any better. But it has worked out so far, for the following reasons:

• I can browse the chart before I install it, so I can see what it installs and what config options it exposes. Doing helm pull and unzipping and browsing is not a substitute for this.
• The chart repo is public, so I have confidence that what I see is what gets installed.
• Because the chart repos are public, people in the community can submit issues and PRs against them. These issues and PRs are super valuable in Google searches when I have problems.

I think the biggest things that affect trust for me are ownership and transparency. For schema-registry, I ended up creating my own deployment bundle for it based on the confluentinc Docker image. And I trusted that because the Docker image repo is owned by Confluent, it's their software.

I didn't feel I could trust the Helm chart for it because I couldn't determine the relationship, if any, between the chart maintainer and the underlying software. I intend no criticism whatsoever of the maintainer or the chart I found in stable, which seems actually super useful and well-written. But the new Helm Hub doesn't show the source of the chart, and that coupled with the uncertain provenance made it not a good solution for us.

So, I would trust Helm Hub more if:

• Charts were in public repos owned by the maintainers of the software, or by someone they have designated. If it's a chart for Confluent software, I want to know that Confluent blessed it.
• Helm Hub required a link to this repo for every chart listing
• The chart artifact had a checksum or signature I can verify after I pull it.

I'm curious about why maintainers would want to keep the chart repo private but the build artifacts public.

Without these things, however, I don't feel I can trust Helm Hub enough to use it to install software my company depends on.

from hub.

I'm curious about why maintainers would want to keep the chart repo private but the build artifacts public.

I think a majority of the time the charts are public but they are not providing a link to the repo in the Chart.yaml. I found a similar thing happening with containers on Docker Hub. Sometimes they have a link to the repo used to generate them and sometimes they do not but it exists.

I think the next step is to encourage including the repo information. It would be nice to encourage people to include it on their container images, too. On numerous occasions I've audited the the used to create a container image.

I would trust Helm Hub more if

Might I suggest you don't trust all the charts in the hub just because it's run by the Helm project. It's a distributed chart search. All the charts come from 3rd parties. Trust a 3rd party instead of trusting the hub.

Do you trust all the images on Docker Hub? Or, do you trust certain organizations who maintainer their images there? The same idea applies here.

The Hubs provided by the CNCF can do a better job of presenting metadata to help people decided who and which charts they will trust.

The chart artifact had a checksum or signature I can verify after I pull it.

Helm can do this to some extent if the provenance was created for the package and put in the repo. We need to do some work to make this more widely used.

from hub.

Might I suggest you don't trust all the charts in the hub just because it's run by the Helm project. It's a distributed chart search. All the charts come from 3rd parties. Trust a 3rd party instead of trusting the hub.

I get this, but how do I know whom to trust, based on a chart page on the Helm Hub? This is why I think requiring a link to the chart's repo would help; it would show who owns the repo. If I find a chart like schema-registry, I want to know if the chart maintainer has any relationship to the underlying software.

from hub.

how do I know whom to trust, based on a chart page on the Helm Hub?

I think this is a great question. And, it does not have a single answer. Different people and organizations are going to have different rules. There are some who take every upstream asset, pull it into a staging area, analyze it, if it passes it's promoted into use. They don't trust upstream. They verify everything. There are some who will just use what ever and not look at it. Then there are those at multiple points in between.

There are situations where someone might trust someone without having access to the source. For example, let's say a consumer has a contract with the provider for support. There is a financial and legal obligation. Some would trust that and others wouldn't.

There's no one right way. We can encourage the source but we aren't going to require it.

from hub.

A link to the chart source is really needed - its annoying to find a chart in the hub, and then have to go to google to find the source - its generally easier/quicker to look at the source on github than to download/extract/open in editor the tar

from hub.

The Helm Hub is now deprecated so this issue is overcome by events. Closing.

from hub.