On Tue, Sep 30, 2014, at 11:55 AM, Václav Pavlín wrote: > Tianon also mentioned future feature which would support signed images - > we would probably want to produce such signed image by ourselves, not > just give Docker rootfs and let them sign it.
How does this intersect with https://github.com/docker/docker/issues/8093 As a Docker user, I may trust Docker Hub, or I may trust Fedora, or both (or neither). If the signatures are being validated, the client should be configurable to allow e.g. only accepting images signed by a particular set of keys (e.g. Fedora's). If we just hand them a tarball that they sign, then AIUI someone would have to jump through significant hoops to determine provenance to Fedora. CC'ing vbatts for comment. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
