Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Provenance in OCI images #3957

Open
2 of 9 tasks
laetho opened this issue Jan 13, 2025 · 1 comment
Open
2 of 9 tasks

[FEATURE] Provenance in OCI images #3957

laetho opened this issue Jan 13, 2025 · 1 comment
Labels
enhancement New feature or request

Comments

@laetho
Copy link
Contributor

laetho commented Jan 13, 2025

Affected project(s)

  • documentation
  • examples
  • wasmCloud host
  • wasmCloud CLI (wash)
  • wasmCloud dashboard UI (washboard)
  • capability providers
  • provider bindgen
  • control interface client
  • other / not sure

Is your feature request related to a problem? Please describe.

This issue is more of a discussion type, than a concreate feature request.
This issue was prompted by a discussion on the wasmcloud slack.

When pushing an OCI image with wash, how do we want build provenance to be propagated?

The OCI spec contains quite a few pre-defined annotation keys for embedding provenance in the image (org.opencontainers.image.[authors,url,source,documentation,version,etc]).

Some registry implementations like GitHub Packages uses the org.opencontainers.image.source information to connect the pushed image to the specific repository. If the information is missing you will have to manually link them.

Having provenance information embedded in the image is a good thing for inspecting origin or opening up the provider or component image to platform policies.

When and how?

wash push supports adding annotations today with the -a flag and is opt-in. Which is a good thing.

At what level should convenience helpers be implemented?:

  • Closer to the project native tooling?
  • Upstream work?
  • Closer to the product/ecosystem adopted? (example: github action)

A component or provider image without any metadata feels rather suspect and not something I personally would run in any important environment.

Of the pre-defined annotations in OCI spec, which of this should be subject to information leakage scrutiny?

Describe the solution you'd like

I would like to see some alignment with upstream wasi work and oci annotation intent. It can be opt-in, but images without atlest some provenance feels wrong.

Describe alternatives you've considered

Using the "-a" flag in wash push in our own ci/cd and try to follow the oci spec intentions.

Additional context

Other somewhat related issues in wasmcloud project:
@laetho laetho added the enhancement New feature or request label Jan 13, 2025
@ossfellow
Copy link
Contributor

I personally set all OCI image annotations in my own builds.
However, provenance and annotation use are two very different topics.

As I'm sure you know, there is nothing in a CI/CD pipeline, which can prevent fake annotations, or detect the authenticity of image annotations.

On the other hand, provenance requires traceability and authenticity verification.

Nevertheless, I also think that setting annotations and having more metadata is a good idea.
Thank you for proposing it.

@ossfellow ossfellow mentioned this issue Feb 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@laetho @ossfellow