Update docs to reflect use of reference types over oci index #80
Conversation
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
There was a problem hiding this comment.
I don't know that we want to completely remove all mention of oci-index since there's probably a scenario to capture where someone pulls the top level index and wants to verify the resulting image before running it. We may still satisfy that use case by verifying the nested image, but users may want some assurance that Notary v2 will work if they build and/or deploy multi-platform images.
scenarios.md
Outdated
| * In addition to the `image`, `SBoM` and `src` artifacts, the build system produces an [OCI Index][oci-index] that encompassed the three artifacts. | ||
| * Each of the artifacts, and the encompassing `index` are signed with the Notary v2 wabbit-networks key. | ||
| 2. The Wabbit Networks net-monitor index and its signed contents are pushed to a public OCI compliant registry. | ||
| * In addition to the `image` the `SBoM` and `src` artifacts are created as reference types to the image, creating a graph of artifacts. |
There was a problem hiding this comment.
To avoid confusion, I'd just remove the "image" mention here.
| * In addition to the `image` the `SBoM` and `src` artifacts are created as reference types to the image, creating a graph of artifacts. | |
| * The `SBoM` and `src` artifacts are created as reference types to the image, creating a graph of artifacts. |
Yeah, good point that we do support any manifest, including signing a multi-arch index. This is really just an update to reflect the learnings and pivot from constantly updating an index everytime a new signature is added, to using reference types to represent a true graph. I think we can track the multi-arch question separately from this high-level overview. |
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Agreed. I think have a PR that needs updating to update that covers this. LGTM |
Signed-off-by: Steve Lasker stevenlasker@hotmail.com