search

UCL-INGI / INGInious

INGInious is a secure and automated exercises assessment platform using your own tests, also providing a pluggable interface with your existing LMS.
http://www.inginious.org
Other
207 stars 140 forks source link

Trusted container images #922

Open nrybowski opened 1 year ago

nrybowski commented 1 year ago

Is your feature request related to a problem? Please describe. With DockerHub not supporting free hosting for Open Source projects anymore, we are more and more exposed to namespace spoofing.

Describe the solution you'd like The environment containers and other project's artifacts should be signed somehow. The INGInious frontend should let administrators load developer certificates, then the pulled containers should be verified against those authorized certificates. If the verification fails, the URL could be added to some kind of block-list to avoid further useless pulls.

Describe alternatives you've considered Use decentralized package networks such as https://pyrsia.io/.

Additional context The existing solutions for trusted software package distribution should be explored.

nrybowski commented 11 months ago

Related project https://github.com/sigstore/cosign-installer