Support passing --insecure-policy#127
Conversation
Signed-off-by: Peter Bynum <pkpbynum@gmail.com>
pkpbynum
force-pushed
the
pb/insecure-policy
branch
from
526cdf7 to
a3828ad
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for the --insecure-policy flag in skopeo, allowing users to disable signature verification. The changes include adding an insecure_policy field to the ImageProxyConfig struct, implementing the logic to pass this flag to the skopeo command, and adding a corresponding test case to ensure correct functionality. The implementation is clean and follows idiomatic Rust practices, particularly with the use of Option<bool> and unwrap_or_default() for handling the boolean flag. The new feature is well-integrated and tested.
But...shouldn't that just be fixed in https://github.com/containers/container-libs/ ?
container images? Yeah sounds cool, though I am not quite sure I understand the relationship of this PR to the policy. Are you saying e.g. you don't need to cosign/gpg sign the container because you know the digest in advance? And your system will communicate expected digests for updates? I am very very interested in intersections of nix and bootc/composefs, so keep these things coming! |
You have since created oci: Add fast path for oci: transport using ocidir crate--which is better and unblocks this. The issue I ran into is that |
2 participants
This PR supports build environments that cannot supply a policy at the standard file paths (specifically nix). Eventually, I'd like this to also be consumed in composefs-rs such that we can produce composefs images at build time in the nix sandbox. In this environment, the hash of the build output is known & trusted before the image is fetched.