← Back to context

Comment by westurner

8 hours ago

Notes for solvers in this space;

Fedora recently moved to managing packages in Forgejo, a fork of Gitea and Gogs, a clone of the old GitHub UI. https://news.ycombinator.com/item?id=45670055

Forgejo has an artifact registry for DEBs, RPMs, APKs,; and a Container Registry for OCI Containers.

Any type of artifact can be stored in an OCI container image registry. Any type of artifact can be signed/attested to with a short-lived signing key from sigstore.dev's or a self-hosted Rekor instance

Native container tools like bootc store host system images as a OCI container images.

From https://news.ycombinator.com/item?id=44991636 :

> bootc-image-builder, ublue-os/image-template, ublue-os/akmods, ublue-os/toolboxes w/ quadlets and systemd

There are streaming container standards to boot containers that haven't finished downloading yet, and container shapshot artifacts too; Seekable OCI, eStargz, Nydus: https://news.ycombinator.com/item?id=34603593

Python Packaging User Guide > Package index mirrors and caches > Existing projects: https://packaging.python.org/en/latest/guides/index-mirrors-...

> [ Cache, Mirror, Proxy ]

> [ mod_cache_disk (Apache), nginx_pypi_cache, pulp-python, ]

Pulp (RedHat,) mirrors and proxies a number of different types of packages. https://github.com/pulp

pulp_container, pulp_ostree, pulp_ansible, pulp_rpm, pulp_deb, pulp_npm, pulp_maven, pulp_r

pulp-operator for HA SPOF with k8s: https://github.com/pulp/pulp-operator

From https://news.ycombinator.com/item?id=44320936 re: cosign, Sigstore, TUF, SLSA; you have to pass this to get docker to check container image signatures

  DOCKER_CONTENT_TRUST=1

..

- integrate with Forgejo

- mirror git repos

- consider pulp's modular approach and deployment operator

- consider OCI for future packaging formats

- What SLSA recommends; check TUF, Sigstores, Trusted Publisher (OIDC) and GPG .asc signatures

And then also content-addressable networking might avoid some of the overhead and wasteful redundancy to checking the hash of each file in each signed package manifest.

0 comments

westurner

Reply