This repository has been archived by the owner on Jul 30, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathTODO
50 lines (38 loc) · 2.22 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Public Release
x Take github credentials via environment variables
x Submit automatically after github publish happens - printed out submit instead
x Print out an rget command after submission for a user to test
x Add prometheus metrics exporting for GET requests and submission requests and hook up to stackdriver
x Implement vanity import path https://sagikazarmark.hu/blog/vanity-import-paths-in-go/
x Use a different path for submissions. probably /submit or something
x File issues for creating a Trillian frontend
- Introduce rget check to check a URL works and when the certificate was issued, etc
- Make the rget root command output more useful output
x SHA256SUMS file checked
x sum of the file
- Date of the certificate issuance
x SCT checks succeeded and the logs used
x Logs checked and succeeded
- Any failed checks
- File progress if tty
- Remove panic() from the entire codebase
- Submit returns URL for domain
- Define well-known URL for discovering domain for release discovery for a domain
- Add log-search command that dumps URLs to various log search engines
- https://crt.sh/?Identity=%25.v2-0.releases-test.philips.github.com.established.ifup.org
- https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:true;domain:v2-0.releases-test.philips.github.com.established.ifup.org&lu=cert_search
- Add a test script that tries a GitHub project without SHA256SUMS
- Add test script that uses a self-signed TLS certificate not in the log
- Define roadmap for self-hosting
## PR+1 - All file GH Release Test
Use: Prove that the sha256sum can support all files for a given release
- Introduce database to hold onto sha256sum info and index to org/project/release tuple
## MVP+3 - All digests for a Docker image
Use: Prove that the scheme works for docker images as well
## Public Release
- Index top NNN docker images and github repos into the service
# Lessons Learned
- Let's encrypt requires a CN that is shorter than 64 bytes. Thus 5c793eed08df469f8a40a0465f767677.secured.ifup.org
- Github has multiple URLs for the same release tarball depending on API or website lookup
# Nice to have
- Save OAUTH token for github into a config file