Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve self-hosting story for signed manifests #146

Open
4 of 5 tasks
kzu opened this issue Feb 18, 2024 · 0 comments
Open
4 of 5 tasks

Improve self-hosting story for signed manifests #146

kzu opened this issue Feb 18, 2024 · 0 comments
Assignees
@kzu
Labels
enhancement New feature or request

Comments

@kzu
Copy link
Contributor

kzu commented Feb 18, 2024
edited

Instead of assuming other OSS projects will use our infrastructure, assume instead that they (being developers) will instead host their own endpoint for signed manifest generation. This should lower the bar for adoption since they can keep their sponsors information entirely private, while still emitting the manifest server-side and properly signed with their own private key.

This also makes it far more costly for malicious users intending to circumvent SL, since they would need to work around individually each package using it, rather than hacking a single manifest.

Features:

  • A single GH CLI extension will still be the one emitting the entry point manifest (signed) for sponsorables to use
  • A new endpoint in SL as backend to emit those sponsorable manifests for run-time seeding of manifest sync'ing
  • A new per-sponsorable manifest should be downloaded instead of one for all
  • Helpers for consumers would now read, cache and validate their own manifest individually.
  • Make self-deployment of a server-side backend trivial for sponsorables. Perhaps a simple asp.net core net8.0 container that's deployed as-is and just needs a couple envvars for config?
@kzu kzu added the enhancement New feature or request label Feb 18, 2024
kzu added a commit that referenced this issue Feb 18, 2024
@kzu
Add sponsorable init backend function
8d896b9 
Allows a sponsorable to initialize a JWT token that can be used to seed sponsors checks for their organization.

Partially implements #146
@kzu kzu mentioned this issue Feb 18, 2024
Merged
kzu added a commit that referenced this issue Feb 18, 2024
@kzu
Add sponsorable init backend function
c1fbcad 
Allows a sponsorable to initialize a JWT token that can be used to seed sponsors checks for their organization.

Partially implements #146
@kzu kzu self-assigned this May 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzu kzu

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kzu