Package: debuerreotype Version: 0.10-1 Severity: normal Hello!
I'm not sure that this is the right place to file this issue, but I was unable to find a better place. Feel free to redirect to a more suitable place. I talked to the debian-cloud people and they didn't think that this was their purview. I really value the debian built docker images that are available at Docker Hub. The fact that they are built in a reproducible fashion, and are available as "official" docker images (which means that they are verifiable through Docker Content Trust (DCT) signatures) goes a long way for reducing my paranoia. I am not writing to suggest any of that change, I think it should definitely stay that way. The reason I'm writing is because I'd like to have the option of obtaining these images from Debian directly, from a Debian controlled registry that is properly notarized to provide the same cryptographically verifiable trust chain as is provided through Docker Hub. Being able to verify the images from the same root of trust that the operating system depends on, would be a nice improvement. Considering that the images are essentially building Debian, on Debian, it would be nice to not have to rely on docker.io to trust the resulting images. Sure, they are signed, but the trust root itself is not coming from Debian itself. When I `debootstrap` from a debian system, by default, it already verifies the packages pulled automatically, from the same root of trust that the OS depends on. It would be nice to get my debian docker images from a debian registry, and not have to trust Docker Hub as a secondary verifier. Understandably, this isn't a trivial effort. It requires a debian provided registry, and a TUF configured notarization process. Each of these is an effort in itself. Maybe a good starting point would be to provide a simple registry service at https://docker.debian.net, where you can already find the image checksums. It doesn't have to be a notarized one from the beginning, but just a registry where the same images that are pushed to Docker Hub are also pushed. Perhaps using the built-in registry at Salsa would be another option. Once things are reliably being pushed to a registry on debian.net, or salsa, then building the notarization pieces for verification would be next. Once that has been completed, then perhaps this can become a proper Debian service. Thanks for considering this, and thanks for working on these images! micah -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages debuerreotype depends on: ii debian-archive-keyring 2019.1 Versions of packages debuerreotype recommends: pn debootstrap <none> Versions of packages debuerreotype suggests: pn diffoscope <none>