The Notary project has officially been accepted in to the Cloud Native Computing Foundation (CNCF). It has moved to https://github.com/theupdateframework/notary. Any downstream consumers should update their Go imports to use this new location, which will be the canonical location going forward.
We have moved the repo in GitHub, which will allow existing importers to continue using the old location via GitHub's redirect.
2. What is Notary
A highly secure platform for signing collections of digital content.
● Golang implementation of The Update Framework (TUF)
● Used in Docker Content Trust for container image signing
3. “TUF has been designed by academic experts in the subject, based both on
research and existing real-world systems. Our crypto-humility should cover not
just crypto algorithms but extend to whole system designs.”
Duncan Coutts, Cabal maintainer
4. CNCF Donation
● Quorum of votes reached.
● Paperwork to be completed.
● We have a logo now:
5. TUF Augmentation Proposals (TAPS)
Accepted:
● Multi-delegation thresholds
● Remove native support for compressed metadata
In Review:
● Multi-repo thresholds
● Self service key rotation
9. Goals
● Standardized report format for scanners
● Understand use cases for scanners
● Tooling for scanning users to easily integrate and
consumer scans
10. What do we mean by “scanning”?
● Any inspection and analysis of container images
11. Types of Scanning
Code Analysis
● Code security issues
○ SQL Injection
○ Bad file permissions
● Sensitive data in code/config
Binary Analysis
● Fingerprinting for CVEs
● Deep inspection of statically compiled
binaries
12. Use Cases
● Vulnerability Scanning for:
○ Compliance
○ General health
● License Auditing
● Software Inventorying
13. Progress on tooling
- Google announced and open sourced Grafeas last week
- Also announced Kritis, yet to be open sourced.