Hi, I think as long as we are using the official ASF "dist.apache.org" to obtain the release distributions, it is fine to only check against the SHA512 sums (file integrity) imho.
Regarding the PGP checks (author / release manager integrity) Might be beneficial to take a look at https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification and use a HKPS keyserver or a similar approach for building our docker images with PGP checks. Wdyt? I think it would be nice to have both checks. Gruß Richard Am Mittwoch, den 14.07.2021, 14:39 +0000 schrieb Jenkins, Rodney J (Rod): > Jon, > > Here is a link with more info on the key server issues: > https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674 > > I was able to reproduce these. I have not been able to reliably > built an image in the last couple weeks. > > There is another issue blocking TomEE 9.0. It looks like there is a > missing key fingerprint from David’s new keys he uploaded. See the > email on this list on 5/29. > > In my opinion, it is simpler to use the SHA and seems to be more > reliable. > > I have a PR request out there to remove the windows files. David did > give me access to approve that, but I am assuming that we would > prefer someone else to approve it. > > I will start on a list of new tags to add to the images. > > Thanks, > Rod. > > > From: Jonathan Gallimore <[email protected]> > Date: Wednesday, July 14, 2021 at 5:07 AM > To: [email protected] <[email protected]> > Subject: [EXTERNAL] Re: Docker image change requests > Nationwide Information Security Warning: This is an EXTERNAL email. > Use CAUTION before clicking on links, opening attachments, or > responding. (Sender: > [email protected]) > > ------------------------------------------------------------------- > ----------- > > > Hi Rod, > > Can you elaborate on what the keyserver issue is? That sounds like > the > immediate blocker. > > We publish SHA512 checksums so I'm fine with using them, although a > GPG > check is also nice. > > I'm a +1 on the additional tags, and removing the .exes from the bin > directory. > > Jon > > On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) < > [email protected]> wrote: > > > All, > > > > There are two requests and one issue at > > https://github.com/tomitribe/docker-tomee/issues > > > > The issue needs to be resolved sooner rather than later. The base > > Debian > > image as a vulnerability in it, we need to rebuild it. I will get > > that > > going. However, I am concerned with the key server issues. I > > would like a > > discussion on moving to the sha512 checksums. > > > > Adding additional tags was requested back in 2017. I like this > > idea. For > > example we would point the “plus” tag at the latest 8 version on > > the newest > > jre. Additional tagging is something we should be doing. > > > > Cleanup of the bin directory is an easy fix. This would make our > > images a > > bit smaller, which users like. > > > > I am happy to make these changes, or have a discussion. > > > > Please advise, > > Rod. > > > > -- Richard Zowalla, M.Sc. Research Associate, PhD Student | Medical Informatics Hochschule Heilbronn – University of Applied Sciences Max-Planck-Str. 39 D-74081 Heilbronn phone: +49 7131 504 6791 (zur Zeit nicht via Telefon erreichbar) mail: [email protected] web: https://www.mi.hs-heilbronn.de/
smime.p7s
Description: S/MIME cryptographic signature
