Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document the security best practice #185

Closed
FeynmanZhou opened this issue Apr 27, 2023 · 2 comments · Fixed by #228, #219, #270 or #223
Closed

Document the security best practice #185

FeynmanZhou opened this issue Apr 27, 2023 · 2 comments · Fixed by #228, #219, #270 or #223
Assignees
@FeynmanZhou @zr-msft
Labels
documentation Improvements or additions to documentation
Milestone
1.0.0

Comments

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Apr 27, 2023
edited
Loading

We need to document the security best practice to tell users how to use Notation in a security posture. The security best practice and considerations include but are not limited to:

  • Security considerations for developing and using Notation plugins. The plugins should be documented such that the security trade-offs are clear to plugin developers and users.
  • Security considerations for using container registries, such as using --insecure flag when Notation interacts with an HTTP registry
  • Notation authentication (Credential Store and environment variable)
  • What should users do against the threat model doc: create notation threat model specifications#242
    ···

This is a big topic. We can iterate on the content creation.
@FeynmanZhou FeynmanZhou added the documentation Improvements or additions to documentation label May 8, 2023
@FeynmanZhou FeynmanZhou added this to the 1.0.0 milestone May 8, 2023
@FeynmanZhou
Copy link
Member Author

Notation is installed on the user's file system. The ongoing threat model highlights that a compromise of the file system in which Notation is deployed might be a major security risk. As such, users should be aware of the risks associated with slacking on the security of the file system in their usage. We need to remind users to make sure their file system is secure with strict permission in the installation guide.

@yizha1 yizha1 moved this from Todo to In Progress in Notary Project Planning Board May 23, 2023
@zr-msft
Copy link
Collaborator

zr-msft commented Jun 5, 2023

Fixed by #228 #219 #270 #223

This was referenced May 25, 2023
Merged
Merged
Merged
Merged
@yizha1 yizha1 moved this from In Progress to PR Review in Notary Project Planning Board Jun 12, 2023
@github-project-automation github-project-automation bot moved this from PR Review to Done in Notary Project Planning Board Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FeynmanZhou FeynmanZhou

@zr-msft zr-msft

Labels
documentation Improvements or additions to documentation
Projects
Notary Project Planning Board
Status: Done
Milestone
1.0.0
2 participants
@FeynmanZhou @zr-msft