►
From YouTube: Harbor Community Meeting - Aug 11, 2021
Description
CNCF Harbor's Community Zoom Meeting
A
Okay,
hello,
everyone,
my
name
is
olympus
and
I'm
the
community
manager
for
harbor
today
is
august
11th
and
that's
our
community
meeting
for
the
european
and
china
time
zone.
Welcome
everyone,
and
today
I
I
see
two
topics
at
it
and
let's
go
them
one
by
one
proposal
for
tracing.
Do
we
have
can
on
the
call.
B
In
this
release,
I
propose
a
have,
I
propose
to
add
a
the
feature
of
distributed
tracing
for
harbor,
and
this
is
my
proposal
and,
as
we
can
see
the
background
for
why
we
added
the
tracing
for
hubble.
Is
that
because
the
modern
application,
the
tracing,
is
a
very
key
features
for
applications
online
to
debugging
and
for
also
it
can
help
to
improve
their
performance
and
and
such
kind
of
thing
and
we
and
for
what
the
applications
observability.
B
There
are
three
pillows,
the
log,
the
matrix
and
the
tracing
and
the
hubble
already
have
the
logs
and
the
matrix.
So
we
just
added
the
last
pillar
of
tracing
in
this
feature,
and
so
we
in
this
release,
we
plan
to
add
tracing
for
the
component
of
a
hubble
core,
harbor
job
service
and
regis
control,
because
this
three
component
is
a
very
important
part
for
hubble
and
we
need
to.
B
The
tracing
information
in
these
components
were
very
helpful
for
people
to
online
debugging
the
issues
and
also
can
help
help
the
developer
of
hubble
to
improve
their
performance
performance
online
because
we
can
get
the
request
time
or
some
informations
to
guide
us
well
to
what
we
all
the
time
spend
in
a
hubble
service
and
we
can
improve
it
and.
B
B
The
goal
of
this
also
include
enable
it
on
ka's,
environment
and
the
long
goals
include
oh
yeah.
We
just
enable
the
three
component
that,
as
I
mentioned,
foreign
and
the
other
components
like
a
procedure,
grass
radius
treaty,
maybe
in
the
future
we
will
edit.
B
B
They
are
also
have
some
standard
for
tracing
is
the
most
popular.
Is
the
open
tracing
standard
and
and
the
open
sensors
by
the
open
tracing
and
the
open
sensors
they
will
merge
into
one
project?
Is
that
is
the
open
telemetry?
Maybe
the
library
may,
the
third
party
library
may
be
less
than
that
about
it?
I
think
the
open
tracing
is
the
future
of
what
the
open
tennis
story.
Open.
Telemetry
is
the
future
of
tracing
and.
B
B
So
this
is
one
reason
we
choose
it
and
that
maybe
someone
don't
know
the
difference
with
the
tracing
and
the
logs
and
the
metrics
and
the
metrics.
Let
us
all
know
the
overview
states
of
the
system
and
the
tracing
focus
on
one
request,
so
it
can
help
us
to
locate
the
rule
of
course.
Why?
Why
the?
Why
something
wrong
happened
and
the
notes
in
the
tracing?
We
can
also
log
some
informations
in
the
trace,
and
there
are
some
difference
between
the
logs,
because
the
logs
record,
all
the
information
happened.
C
B
As
we
all
know,
when
we
debug
the
goal
applications,
we
will
use
in
the
profiling
to
get
something
like
cpu
time,
memory,
usage
or
or
go
routine
information
stack
goldman
stacks
or
something
like
that
about
the
history
distributed
tracing
have
something
in
common
like
like
profiling,
like
that
distribution
will
record
the
time
elapse
of
each
of
the
functions
you
you
care
about,
but
the
information
of
profiling
is
more
much
more
than
distributed
tracing
and
it
also
well.
B
It
also
need
more
resources
than
distribution,
so
we
cannot
always
open
the
profiling
parts.
We
can
always
open
the
distributed
tracing
on
our
service,
and
this
is
the
proposed
to
purpose
how
to
implement
it.
The
first
thing
we
need
to
add
some
configurations
in
our
hubble
config
file
like
this,
and
there
are
different
kind
of
things
we
need
need
trace.
The
like.
B
We
mentioned
the
progress
like
http,
client,
igp
server
and
the
way
we
can
use
in
this
kind
of
snap
pads
to
wrap
our
http
server
and
http
client
and
for
our
call
we
have
a
middleware,
so
we
can
using
this
this
just
studio
code.
We
can
use
this
kind
of
code
to
add
a
middleware
in
our
call
and
in
each
component
we
wanna
add
the
trace
we
can
use.
C
When,
when
is
the
the
merge,
what
is
the
status
on
emerge?
The
work.
B
Actually
they
they
already
merged,
because
you,
when
you
go
to
the
like,
as
you
can
see
when
you.
B
B
All
the
new
features
I
think
well
implemented
in
open,
animatry
and
the
open
animatry
have
have
metric,
it
can
record
matrix
and
tracing,
and
the
tracing
is
the
general
available
version
is
a
is
in
that
tracing
feature
rather
than
matrix
is
also
in
beta.
I
think
so.
B
C
Okay
got
it,
I
think
also
another
comment
in
your
section
on
you
know
what
is
the
difference
between
tracing
and
metrics
right
yeah,
one
thing
you
can
emphasize
is
tracing
is
really
you
know
it's
it's
looking
at
a
single
event
right.
It's
looking.
B
C
How
long
how
long
a
request
is
spent
in
you
know
the
front
end
or
back
end
or
the
database
or
yeah
going
through
some
external
service,
but
it's
it's
very
much
a
single
event
right,
so
it
does.
C
Okay,
all
right
thanks
so
much.
I
think
this
is
this
is
something
that
was
requested
about,
I
think
like
more
than
a
year
ago,
and
we
never
really.
We
we've
been.
You
know,
adding
we've
been
working
on
telemetry
right
through.
A
B
A
Yeah
telemetry,
just
before
I
open
telemetry,
was
announced
back
in
2020
or
or
mid
2019
on
capcom.
C
B
The
next
year
yeah
the
last
year,
the
tracing
feature
is
in
beta,
but
this
year
is
g8
j8.
A
C
B
Yeah
yeah
yeah
from
this
respect,
it
will
add
some.
It
will
add
some
more
resources
for
your
running
application,
but.
B
But
from
this
perspective
it
is
really
helpful
to
improve
the
software's
improvement,
because
you
know,
where
is
the
bottleneck
and
you
can
just
to
improv
and
to
improve
your
bottleneck,
and
it
will
help
to
improve
the
the
whole
performance
and
the
impact
when
tracing
is,
I
think,
is
it?
Can
the
impact
is
less
than
one
to
five
percent?
B
And
it
also,
it
also
can
when,
if
you
want
you,
you
think
the
the
data
of
the
tracing
is
a
tool
large.
Maybe
you,
you
can
add
a
some
configuration
like
the
sample
rate.
You
can
only
trace
in
like
a
one
one,
tenth
or
one
hand
just
or
something
like
that.
B
That's
all-
or
I
think
maybe
one
I
I
read
a
paper
from
google,
the
dapper
and
it
only
collects
0.1
of
tracing
data
in
production
and
is
enough
to
help
them
to
locate
the
issues
online
issues
and
help
them
to
improve
their
software.
A
A
I'm
asking
because
I've
I've
hit
that
issue
in
the
past
we
enabled
tracing
of
one
component,
and
it's
like
it
was
using
quite
a
lot
of
resources
which
not
everyone
wants
to
spare.
So
is
there
a
mechanism
how
you
can
turn
it
on,
for
example,
for
for
specific
deployment,
and
you
can
test
something
then
in
production,
for
example,.
B
I
I
think
it
will
impact,
it
will
consume
more
resources.
B
The
the
data,
how
many
data
you
are
organizing,
is
controlled
by
a
lot
of
things
like
you,
you
can
reduce
the
data
as
you're
tracing
your
code
and
also
you
can
not
not
like
I
got
mentioned
to
add
the
sampling
rate
rate
sample
rate,
and
we
can
also
because
we
have
a
a
queue
in
the
library
to
receive
the
data
and
send
back
by
batch
this
data
and
send
it
to
the
tracing
server
or
something
like
this.
We
can
have
some
improvement
in
this
to
reduce
the
impact,
but
we
cannot.
B
We
cannot,
we
cannot
ignore
it,
but
but
as
a
trader
off
and
the
the
feature
helpdesk
is,
a,
I
think
is
more
is
more
than
it
impacts
the
performance.
The
resource
is
already
consumed.
B
A
And
when
do
you
think
you
can
file
that
issue?
So
we
can
and
do
you
think
we
need
a
working
group
for
this
one.
A
B
Stone
stone
and
me
I
work
on
this
feature:
okay,.
C
Yeah
I
was
gonna,
ask
a
question:
is
open
telemetry
of
a
replacement
for
something
like
jaeger
and
zipkin,
or
does
it
work?
Does
it
integrate
with.
C
Okay,
that
makes
sense
yeah.
I
think
that
was
the.
I
remember
that
was
the
question
in
the
very
beginning
that
was,
the
context
is
like
the
open.
Telemetry
is
like
a
framework,
it's
almost
like
a
cache
or
it
collects
the
data,
and
then
they
want
to
analyze
and
visualize
the
data
with
their.
You
know
existing.
B
C
Deployment,
so
I
think
we
need
to
maybe
we'll
gain
that
in
this
ticket
I
can
add
some
use
cases
and
we
can
make
sure
that
those
use
cases
are
covered
by
this
proposal.
A
C
Like
garbage
collection,
right,
garbage
collection
and
replications.
D
C
All
right
thanks,
let's
move
on
to
the
the
cosine
integration,
because
we
spent
some
time
looking
at
this,
and
I
want
to
make
sure
we
have
plenty
of
time
to
go
over
the
proposal.
D
Okay,
let
me
give
you
a
a
shot,
this
description
about
the
proposal
about
the
cosine,
the
harbor.
I
did
several
investigation
about
cosine
and
how
does
carbon
just
support
cosine
and
this
proposal
about
the
integration
style?
D
So
what
is
cosine
cosine
is
a
part
of
six
star
project
and
provides
container
signing
and
verification
with
oci
registry
integrations.
So
you
can
go
into
the
cosign
repo
to
get
some
details
and
basically
it
just
can
provide
a
sign
of
verification
and
oca
artifact
and
push
the
signature
as
oci
artifact
into
the
distribution
so
carefully.
Coal,
sun
height,
is
first
production.
D
Ready
with
this
level
is
1.0,
so
we're
gonna
go
back
to
the
story
so
why
we're
gonna
to
investigate
about
cosine,
contrary
harbor
is
using
navri
to
offer
a
way
to
sign
image,
and
nobody
is
also
integrated
into
arbor
and
overall
offer
a
good
experience,
but
the
some
limitations
of
notary
has
caused
the
challenge
that
user
to
distribute
the
signed
artifact
to
another
harbor
instance,
but
the
cosine
can
provide
this
capability
so.
D
Cosine
and
can
the
cosine
signature
are
stored
in
oci
distribution
next
to
the
container
image,
and
we
usually
can
adjust
the
pool
of
approach,
the
signature
like
other
artifacts
and
but
so
okay,
let's
just
start
with
gold.
So
this
proposal
is
one
to
support
cosine
and
in
harbor
and
after
support,
all
the
existing
functionalities
can
be
applied
to
the
sun
artifact.
D
D
So
in
addition
to
that,
because
we
do
not
want
to
manage
public
keys,
so
harper
cannot
verify
the
signature.
That
means
that
we
do
not
support
signature
verification
in
amazon.
Also,
we
can
now
support
as
cosine
current
cosine
green
is
to
remove
the
signature
from
the
register,
so
why
we
do
not
support
it.
That
is
the
cosine
clean
leverages.
The
type
ap
deletion
api.
So
this
api
is
not
a
required
implementation
that
defined
by
the
ocs
bike
and
harbor
so
far
does
not
implement
it.
D
So,
in
the
current
release,
hardware
cannot
offer
this
operation
and
also
we
do
now.
We
cannot
support
counseling
copy
because
that,
following
I
will
have
a
detailed
experimentation.
But
how
do
we
deal
with
the
relationship
between
the
signature
and
artifact
but
for
the
cosine
copy?
D
Because
of
the
sequential
of
the
approach
operation
cosine
purchase
the
signature
firstly
and
then
push
the
artifact
to
harbor.
So
this
is
hard
for
harvard
to
build
the
relationship
between
the
signature
and
the
artifact,
and
I
also
list
some
personas
on
user
stories.
So
cosign
is
the
operation
for
any
user.
Who
has
the
darker
purge
formation
of
fiber,
so
anyone
who
can
push
a
image
into
harbor
he
can
push
a
cosine
signature
to
harbor
as
well,
and
I
let
just
list
some
user
story
here.
D
After
if
someone
pushed
a
cosine
signature
to
harbor,
the
the
project
amine
can
can
delete
the
signature
void
of
the
ui
or
pi
or
gc
and
artifact,
as
well
as
it's
called
signature.
Things
like
that.
So
let's
go
to
some
details
so
before
I
have
a
detailed
implementation
implementation,
I
want
to
have
a
definition
about
the
accessory.
D
D
So
so
in
this
volatile
you
can
see
the
concept
signature
as
a
accessory.
C
B
C
C
You
know
that
relationship
is
going
to
be
used
for
a
lot
of
the
other
policies
that
exist
in
harvard
today
and
yeah,
and
then
you
know
we
call
it
an
accessory,
because
we
can.
A
D
So
by
default,
harbor
will
support
cosine.
So
that
means
you
do
not
need
to
specify.
I
specify
any
parameter
in
this
installation
step
like
this
cosines
you.
You
do
not
need
it,
what
you
needed
just
to
install
fiber
and
then
hybrid
support,
cosine,
and
but
if
you
just
specify
the
to
use
an
arduino,
so
it
means
that
hardware
support
powers
more
than
cosine,
so
in.
In
addition
to
that,
hardware
will
provide
two
different
kinds
of
signature
policies
to
block
user,
to
prove
and
sign
the
artifact.
D
So
this
is
the
first
one
design
so
in
the
future,
if
we
decide
to
support
only
one
signer
in
one
deployment,
so
we
should
define
some
behaviors
like
if
user
switch,
the
signer
from
not
3
to
cosine
or
cosine
2
non-cosine
harbor,
should
we
remove
all
the
signatures
data
from
database
on
under
the
backend
and
the
artifact
reference
and
cosine
signatures
are
started
as
a
separate
artifact
in
the
ocean
register,
but
just
with
the
weak
reference
with
its
name.
So
as
this
picture
shows
that.
D
D
So,
but
to
guarantee
the
signatures
will
not
be
garbage
collected
by
the
registry.
Harbor
has
to
build
up
the
relationship
between
the
closest
signature
and
the
subject
the
artifact,
so
I
want
to
introduce
a
new
table.
That
means
that
name
is
artifact
access
accessory
the
most
important
that,
while
you
hear,
is
that
we
have
one
id
to
indicate
the
subject
artifact
id,
which
the
signature
belongs
to
and
with
this
reference
harbor
will
knows
the
relationship
between
signature
and
artifact.
D
D
I
just
list
the
the
cosa
signature
blob
payload
here,
it's
a
it's,
a
single
signing
for
mine
and
the
single
signing
for
might
is
defined
by
redhead.
So
if
you
want
to
know
something
about
this
payload
details,
you
can
go
to
this
link.
To
see
details
I
mean
we
can
see.
There
is
the
one
key
name
dark
manifest
digest.
D
This
digest
is
the
subject
artifact
digest.
Another
thing
here
is
that
the
in
harbor
we
can
copy
artifact
from
one
project
to
another
project.
So
for
this
operation
we
should
do
the
relationship
in
the
back
end
as
well.
So
we
can.
This
paragraph
is
the
workflow.
D
D
There's
no
more
api
to
for
user
to
query
the
accessory
of
effect
hardware
will
just
append
the
accessories
into
the
artifact
payload.
D
D
Also
harbor
should
provide
the
api
to
delete
the
accessory
like
the
consensus
signature.
So
for
the
for
delete
the
cosine
signature,
we
should
just
append
accessory
to
the
delete
endpoint
and
give
a
type
that
is
the
cosine
signature
of
cosine.
D
This
api
will
remove
all
the
signatures
of
artifact
and
if
you
want
to
remove
a
specific
one,
just
to
specify
the
digest
here,
so
why
we
have
two
apis,
because
that
cosine
can
attach
several
signatures
to
one
artifact.
D
D
So
if
user
select
the
policy
like
enable
content,
trust
the
policy
in
the
backend
that
we
we
should
use
the
another
tracker
to
check
whether
there's
a
signature
or
not
in
attached
to
the
artifact,
then
use
the
results
to
determine
whether
to
block
the
request.
D
So
after
we
support
cosine
and
to
attach
signature,
2
and
r5,
so
how
do
we
manage
the
signed
artifact
in
harbor,
so
outside
in
the
r5
affect
the
harmful
behaviors?
I
list
several
atoms
here.
D
The
most
concerned
is
about
the
replication
so
of
the
harbor
support
co-sign,
as
a
user
can
replicate
the
artifact
and
its
signature
to
another
apple
instance.
So
this
is
the
most
concerned
feature
that
we
want
to
integrate
with
cosign.
D
So,
let's
back
to
the
cosa
signature
payload,
we
can
see
there's
one
key
that
named
the
docker
reference
and
it's
while
you
have
the
has
the
endpoint
information.
I
I
just
confirm
confirm
which
the
constantine
the
cosign
client
will
not
use
this
attribute
to
verify
the
process
in
nature.
That
means
you
can
replicate
the
the
signature
to
any
harbor
instance
and
the
cosine
verification
flow
will
not
break
another
feature
about
the
garbage
capture
so
because
that
harbor
knows
the
relationship
between
the
the
signature
and
under
the
artifact.
D
Other
features
will
not
have
much
impact
at
least
there's
several
behavioral
differences
between
navi
and
cosine,
then
the
first
one
is
so
for
the
currently
designed
of
harbor
you're,
not
related.
If
you
just
assign
an
image
with
not
free
and
then
with
the
hardware
result
not
enabled
the
image
will
act
as
unsigned.
D
So
this
is
the
current
design
of
harbor,
but
for
cosine
the
the
behavior
is
different.
If
you
use
a
sine
image
with
cosine,
unless
a
user
remove
the
signature
from
the
artifact,
the
image
will
always
be
act
as
sign,
and
another
big
difference
here
is
that
bob
about
the
sun
type
target
noun
3
attaches
the
signature
to
this
image
type,
but
cosine
attached
the
signature
to
digest.
D
This
is
the
a
big
difference.
I
will
give
you
an
example
like
we
we
have
two.
We
have
one
emmy
letter
is
the
hollow
word,
but
we
have
two
texts.
We
want
every
two
for
naturally
formattery
we
can
sign
the
v1
tag,
but
v2
is
is
einstein,
but
for
cosine
we
just
assign
the
hollywood
repository
so
the
that
all
of
the
types
we
want
on
v2
act
assigned.
So
I
just
list
the
one
atom
to
be
to
be
discussed
about
the
sign
type.
D
It's
just
atom
one,
so
cosine
attached
signature
to
digest
by
default.
So
should
we
apply
the
signature
to
all
the
types
of
effect,
so
this
should
be
discussed.
D
D
D
Eventually,
the
signature
is
an
artifact,
so
I
have
a
question
about
the
signature
that
should
should
we
treat
the
signature
like
other
artifact
harbor.
So
if
not,
we
do
not
have
any
flag
to
distinguish
them.
D
D
So
a
cosine
in
the
cosine
documentation,
consulting
mentions
that
you
can
just
specify
type
equals
something
and
use
this
kind
of
workload
to
sign
a
type,
and
I
I
I
do
not
think
it's
a
that's
a
good
design.
So
so
my
question
is
here
that
do
we
need
to
support
this
kind
of
scenario.
D
One
last
important
anime
is
about
multiple
signatures.
Cosine
can
attach
several
signature
to
one
artifact
so
but
the
cosine
is
using
a
model
appending
simulation,
but
with
the
same
type.
D
So
this
will
not
work
for
the
immutable
feature
in
hybrid,
so
and
cosign
team
has
already
aware
of
this.
So
consum
team
has
already
filed
an
issue
about
that
and.
D
To
to
resolve
how
does
cosine
to
work
with
the
registry
with
initial
text,
so
someone
provide
an
idea
that
is
the
we
can
add
a
random
id
to
the
cosine
sigma
tag,
name
to
a
white
to
use
the
same
technique.
D
D
So
the
hardware
view
do
some
enhancement
about
the
character
to
to
deal
with
this
situation,
and
and-
and
I
also
find
an
issue
to
the
cosine
label-
to
to
discuss
with
them
how
how
does
cosine
to
deal
with
this
kind
of
scenario,
and
so
the
last
thing
at
least
just
at
least
level
things
that
for
the
phase
two
like,
we
can
manage
public
keys
in
harbor
or
we
can
support
all
the
costa
features
and
also
as
well.
C
Hey
alex
yep
thanks
sonia.
I
think
this
is
really
well
summarized
and
yeah.
I
just
think
that
you
know
cosines
of
solution
is
not
very
mature
right.
That's
that's
kind
of
my
takeaway
from
reading
all
this
and
having.
C
If
you
had
some
discussions
with
you
previously,
it
feels
like
you
know
where
we
have
to
manage
the
the
verification
right.
We
have
to
either
support
the
management
of
the
keys
directly
or
integrate
against
kind
of
a
kms
to
manage
keys
on
harper,
and
that's
just
it
kind
of
goes
beyond
what
harper
is
trying
to
do.
I,
like
the
the
docker
content,
trust
framework
around
pki
around
public
key
infrastructure
right
you
just
it
turns
on
a
flag
and
the
pushing
the
image
with
you
know.
Dtc
turned
on
is
basically
just
an
entry.
B
C
Logs
in
and
draining
another
adb
here,
you
know,
first
of
all,
we
have
to
manage
the
relationship.
You
know
with
the
accessory
artifact
to
bind
the
image
to
the
signature
and
then,
once
again
it
feels
like
we're
going
through
what
we
did
to
support
oci
right,
all
the
all,
the
behavior,
creating
policies
and
garbage
collection
and
everything
we
just
have
to
think
about.
C
You
know
making
this
we
we
have
to
think
about
tuning.
You
know
the
paver
harbor
to
accommodate
for
for
the
signature,
and
I
feel
like
cosine
has
you
know
without
without
the
existence
of
us
of
a
spec
right,
they've
sort
of
just
thrown
this
work
to
the
registry
implementers
and
it's
possible
that
various
registries
that
are
attempting
to
use
cosine
would,
you
know,
come
up
with
their
own
implantation
and
the
artifact
ultimately
does
not
get
persisted
correctly
with
the
signature
right.
C
The
whole
point
is
to
be
able
to
replicate
an
image
with
the
signature
intact,
and
I
just
I
don't
know
I
I'm
very
I'm
not.
Let's
say
I'm
discouraged,
I
think,
there's
opportunities
here,
but
I
think
you
know
instead
of
rushing
in
to
implement
this
right
away,
we
should
you
know
we
should
keep
like
you
said
we
keep
keeping
a
watchful
eye
on
whatever
everything
else.
That's
happening
right
in
the
process
of
w2
and
I'm
kind
of
wondering
what
does
integrating
cosine
with
tuf
mean
exactly.
A
Okay-
and
I
have
a
question
without
actually
being
very
knowledgeable
on
the
topic,
but
is
that
going
to
change
much
of
the
user
experience
exchanging
not
really
with
cosine,
or
I
didn't
quite
get
the
the
thing.
C
It
changes
the
user
experience,
you
know,
vanyon
was.
C
Okay,
yeah,
it
changes
the
user
experience.
First
of
all,
in
terms
of
you
know,
we're
thinking
about
how
do
we
implement
both?
Do
we
implement
one
or
the
other,
and
when
you
make
that
choice
right,
do
you
do
you
pick
the.
C
Solution
that
you
want
during
employment
during
deployment,
and
then
you
know
we're
also
you
know
kind
of
thinking
about
do
we
is,
is
the
the
accessory
right.
The
the
signature
artifact
is
that
something
you've
exposed
to
the
users
to
the
ux
at
all,
or
is
that
just
something
that
sort
of
like
metadata
right?
C
But
it
has
to
be
closely
tracked
and
tied
to
the
artifact,
or
do
you
treat
that,
as
you
know,
if,
if
we
have
to
treat
this
as
a
special
artifact
right
think
about
what
that
means,
that
means
we
obviously
have
to
add
some
additional
logic
to
the
back.
End
right,
add
a
bunch
of,
if
else
or
whatever,
to
to
make
sure
that
that
does
not
get
exposed
to
the
ux
and
that
you
know
all
the
different
policies,
around
retention
and
immutability.
C
These
would
not
apply,
or
these
would
apply
to
the
signature
right,
but
in
a
very
specific
way.
I
don't
think
we
want
to.
You
know
like
some
of
the
things
that
the
use
cases
wanted
to
talk
about.
I
agree
with
him.
I
don't
think
we
want
to
implement
someone
to
like
the
cosine
functionalities
around
copying
and
cleaning,
because
it's
just
very
I
mean
it's
very
proprietary.
It
feels
like.
I
don't
know
if
it
makes
sense
for
harvard
and
from
that
logic,
but
for
us
you
know
we
have
to
think
about.
C
Do
we
allow
the
user
to
to
modify
the
signature
right?
Do
we
allow
do
we
allow
him
to
attach
multiple
signatures?
What
happens
if
you
push
the
same
artifact
with
different,
multiple
times
right,
but
with
different
signatures?
How
is
that
treated
in
harbor
right?
There's,
just
a
lot
of
different
use
cases
to
think
about,
because
the
nature
of
what
a
signature
is
and
how
it's
it's
tied
to
the
image
has
completely
changed.
C
It
just
feels
like
it's
way
more
complicated
than
than
you
know,
notary
based
on
tuf,
that's
very
clean
right.
The
only
thing
that
that
it
doesn't
give
us
is
the
ability
to
replicate
the
signature
to
another
registry.
C
So
you
know
they're
they're,
positives
and
negatives,
with
both
approaches,
so
we're
just
trying
to
evaluate
whether
we
should
look
into
supporting
cosine
at
all
right.
So
this
pull
request
is
a
design,
it's
a
design
pr
under
the
community
repo.
So
I
would
appreciate
if
everyone
can
take
a
look
and
add
your
thoughts
if
you've,
if
you
have
come
across
this
issue
and
have
been
thinking
about
been
thinking
about
notary
or
if
you're,
watching,
cosign
and
think
about
some
of
the
experiences
right
of
managing
the
signature
and
like
well.
C
A
And
another
question:
what
kind
of
issues
we
faced
with
the
notary
and
the
scaling
that
was
in
the
very
beginning
and
I'm
just
curious
how
cosine
is.
C
Solving
them
the
biggest
the
biggest
so
this
whole
project.
The
motivation
for
this
for
looking
into
cosine
was
you
can't
replicate
a
assigned
image
to
another
registry
so
from
one
heart
to
another.
You
can't
do
that
because
the
basically
the
the
domain
right,
the
fqdn,
is
embedded
into
the
signature
itself.
So
when
you,
when
you
replicate
it,
it
gets
broken
and
right
there.
So
there's
this
effort
to
improve
notary
to
build
a
notary
for
the
multi-registry
world,
and
you
know
it's:
it's
been
an
active,
it's
an
active
community.
C
You
can,
you
can
find
the
slack
on
cncf,
but
it's
something
that
has
been
in
the
works
for
since
kubicon
2019
right,
so
that
it's
it's
been
a
while,
and
you
know
certain
users
and
I've
heard
this
from
downstream
customers.
C
You
know
they
they're
kind
of
they're
a
little
bit
frustrated
right
and
I
think
that's
what
you're,
seeing
in
other
organizations
right.
A
lot
of
companies
have
to
have
the
requirements
to
ship
signed,
artifacts
right,
they
need,
they
need
province
for
their
customers,
indicating
hey.
This
is
indeed
signed
by
microsoft
or
sun
by
aws
or
some
by
google
or
whatever,
and
I
think
that's
what
that's.
Basically,
where
you
know
cosine
six
store
came
from.
C
It's
there's
an
urgency
to
solve
this
issue,
but
you
know,
unfortunately,
we're
sort
of
at
a
crossroads
or-
or
you
know
thinking
about
supporting
this-
I
mean
I
don't
want
to
do
it
just
purely
to
solve,
supporting
you
know
replicating
to
sign
image.
If
it's
a
lot
of
work
to
us
and
if
it
you
know
if
it's
inferior
to
notary
in
every
other
way,
it
doesn't
make
sense
to
me.
A
C
I
have
some
some
raw
notes
myself
and
I
have
some
emails
that
I
can
share
with
you,
and
then
I
can
show
you.
I
can
add
you
to
the
notary,
v2
slack
channel
as
well.