Project

Profile

Help

Story #2625

closed

As a user, I can sync content trusted manifests

Added by ipanova@redhat.com almost 8 years ago. Updated over 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Target Release - Docker:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

During sync we fetch manifests from registry by tag. Yes we do some digest verification but it is not enough. What we do is that we compare docker-content-digest received in the response headers with calculated digest from fetched json.

To properly verify it, we need to know what digest to expect. It doesn't add any security to check against the Docker-Content-Digest returned by the registry, since if the manifest is replaced with a malicious one, the Docker-Content-Digest will also change to match that malicious manifest.

I still do not have enough information how we could solve all this, but the current approach definitely does not protect us from malicious intents

Actions #1

Updated by ipanova@redhat.com almost 8 years ago

  • Description updated (diff)
Actions #2

Updated by ipanova@redhat.com almost 8 years ago

  • Description updated (diff)
Actions #3

Updated by ipanova@redhat.com almost 8 years ago

  • Tracker changed from Issue to Story
  • Subject changed from Syncronyzed manifests are not content trusted to As a user, I can sync content trusted manifests
  • % Done set to 0
Actions #4

Updated by bmbouter over 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #5

Updated by bmbouter over 5 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #6

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF