Comments (11)
I have been thinking the same. fuclio has been operating in a stable manner for a while now. I will freeze the milestone and we can look at closing the release.
cc @cpanato
Let's chat on Monday about shipping.
from fulcio.
The googleca stuff needs to move to the 1.0 API
from fulcio.
@cpanato as I understand, it won't be a change of flags or a non backwards compatible change.
At the moment we have a pattern of folks making proposals to add to 1.0, but not able to do the work and so we are seeing 1.0 pushed back and a moving target. For me the most important role of fulcio is the public good instance and what we have at present, which although I am sure can be improved over time, is currently functioning well.
from fulcio.
ahh got it, i think i misunderstood :(
from fulcio.
same from rekor:
I would like to add a cloudbuild + goreleaser when we release Fulcio
then I have some questions:
- We will use the same KMS key that we use to sign
cosign
? or we create another? - To push the data to the Rekor server how can we do that in an automated fashion way? there is any guide? or we just don't do it at this time?
@dlorenc @lukehinds @dekkagaijin
from fulcio.
We will use the same KMS key that we use to sign cosign? or we create another?
Subscribing myself here -- if we do add a new one I need to add it to our root
from fulcio.
Another one that came up with the keyless attestation breakage is that Let's Encrypt has a staging endpoint for tool developers to use to test against without worrying about stuff like quota, and doesn't use the actual CA cert as the root.
Given that we can't even properly test things in cosign against Fulcio pre-submit, I think this is going to be a problem for tooling developers looking to integrate with cosign/fulcio.
I won't outline all of my thoughts on this here, but if folks agree that it's a worthy v1 blocker, then we should open a parallel issue to track it.
cc @dlorenc @n3wscott @lukehinds
from fulcio.
Should probably lock down the configuration prior to 1.0: #304
from fulcio.
Not 100% configuration change should be 1.0 blocker. If only because it seems like it might take some time to finish up a refactor. I discussed it a bit here: #304 (comment)
from fulcio.
if need to change any configuration, maybe we can do that now and make a pre-release with deprecations and then plan the 1.0 removing the deprecations.
from fulcio.
Everything here has been completed. Additional work is tracked here - https://github.com/orgs/sigstore/projects/5/views/1
from fulcio.
Related Issues (20)
- Version Fulcio Certificates HOT 2
- Proposal: GitHub username identities with the GitHub IdP HOT 3
- There is a typo
- Proposal: Integrate with attestation for hardware-backed keys HOT 7
- Allow for a configurable Gitlab url HOT 2
- ACME protocol for certificate issuance
- Add Shutdown behavior
- Do not block startup on OIDC providers being offline
- How does cosign verify use the privatized fulcio deployment? HOT 1
- add info into readme about local doc
- Allow configurable client signing algorithms HOT 11
- Issue while running sigstore locally HOT 3
- Fulcio doesn't pass http customization to go-oidc
- Request For Comment: Removing support for detached SCTs HOT 5
- Add support for release attestations HOT 3
- Dockerfiles use amd64-specific images HOT 1
- Make pkg/certificate/parseExtentions function public
- Codefresh OIDC provider support HOT 3
- [Windows] ctfe_init container "/bin/sh: 1: /root/logid.sh: not found" HOT 2
- Cosign failed to sing the image HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fulcio.