Well, thanks to TLS they're effectively already signed, by Github, to prove that only those with commit rights have produced it, and the commit hash in the url means it will only point to that specific version.
Ste gr On Mon, Apr 20, 2020 at 9:40 PM Christopher Walker < [email protected]> wrote: > Can we digitally sign the solutions registry files so that the client can > verify they was created by us? > > Christopher > > On Mon, Apr 20, 2020 at 16:37 Gregg Vanderheiden RTF < > [email protected]> wrote: > >> Is Github secure enough that we want production code to be downloading >> from there? >> >> I guess if the URL for downloading is in the siteconfig - we can easily >> move it later. >> >> *gregg* >> >> ——————————— >> Professor, University of Maryland, College Park >> Director , Trace R&D Center, UMD >> Co-Founder Raising the Floor. http://raisingthefloor.org >> And the Global Public Inclusive Infrastructure (GPII) http://GPII.net >> >> >> >> >> On Apr 20, 2020, at 2:09 PM, Joseph Scheuhammer <[email protected]> >> wrote: >> >> All, but mostly Stepan, Alfredo, and Sergey (dev-ops), >> >> The goal of GPII-4273[i] is to provide a means by which the Morphic >> client can fetch its platform's latest solutions registry from github. >> In this case "latest" is defined by the version of gpii-universal >> running in the cloud. >> >> I've modified the solutions registry datasource (SRDS) subcomponent of >> the local flow manager (LFM) to construct an url to github for the >> appropriate solutions registry and make a GET request to download it. >> An example of such an url is, assuming Morphic is running on Windows: >> >> https://raw.githubusercontent.com/GPII/universal/bd992f03313acd9a35b81f00fc63922540292255/testData/solutions/win32.json5 >> >> I have modified the production tests to test the new LFM and its SRDS. >> The production tests involve running docker containers built from an >> image of gpii-universal that provide the main components of the GPII >> cloud. >> >> The production tests also run in GCP in dev and stg. Here a >> "productiontests" container is run in which the production tests are >> executed as a one-shot job. >> >> Given that background: will the security within GCP allow the LFM/SRDS >> within the productiontests container to make the outgoing GET request to >> github? I suspect not, but I will test with my dev cluster. >> >> i. https://issues.gpii.net/browse/GPII-4273 >> >> -- >> ;;;;joseph. >> >> 'The only reason for time is so that everything doesn't happen all at >> once.' >> - B. Banzai - >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://lists.gpii.net/mailman/listinfo/architecture >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://lists.gpii.net/mailman/listinfo/architecture >> > _______________________________________________ > Architecture mailing list > [email protected] > https://lists.gpii.net/mailman/listinfo/architecture >
_______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
