audit, sign, trust

[cforce]

Why not signed

brew install rajatjindal/tap/modify-secret 'brew' is not recognized as an internal or external command, operable program or batch file.

kubectl krew install modify-secret Updated the local copy of plugin index. Installing plugin: modify-secret Installed plugin: modify-secret \ | Use this plugin: | kubectl modify-secret | Documentation: | https://github.com/rajatjindal/kubectl-modify-secret / WARNING: You installed plugin "modify-secret" from the krew-index plugin repository. These plugins are not audited for security by the Krew maintainers. Run them at your own risk.

[rajatjindal]

Hi @cforce,

Will signing the binaries with co-sign help here? or are you looking for something else.

The warning you mentioned comes from krew.

thanks

[cforce]

To build trust in this, you shall request to be added to krew plugin repo and go though their security chercks.

[rajatjindal]

the plugin is already part of krew plugin repo, but there is no process for security review/checks for the plugins in krew. This is why krew prints that warning for each and every plugin.

with that, I would like to close the issue as this is the expected behavior right now.

[cforce]

I understand but i think it will not increase trust with this warning not solved by an approval which is the idea behind it afaik.

[rajatjindal]

thank you. Just to clarify and make sure we are on same page: my understanding is that there is NO process in krew to get approval like you are mentioning. If there is, I will be happy go through that.