buildpacks / registry-api

API for searching and reading the Buildpack Registry
Apache License 2.0
4 stars 8 forks source link

Publisher information #95

Open RealHarshThakur opened 1 year ago

RealHarshThakur commented 1 year ago

I'd like to rely on the public buildpacks regsitry but only users to use allow images by certain publishers (heroku, paketo, etc). Is there a way for the API to give out this information reliably such that I could verify if a particular buildpack was published by who I think it is? Apologies if this isn't the right repo for this issue

jkutner commented 1 year ago

@RealHarshThakur it's possible we could expose this, but it would just be something we pass through from the underlying docker registry (which is what host the buildpack images). Are you interested in limit to namespaces or actual publishers?

RealHarshThakur commented 1 year ago

Limit to namespace is essentially relying on dockerhub handle they(publishers I trust) have, isn't it? I think that would be a good start. Long term, maybe we can rely on the the OCI artifacts being signed and verifying via public key.