-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: trust model around custom plugin indexes #576
Comments
A major consideration for me is that many users only run Since this is a security issue, I'd rather print that warning too often than too seldom. And our approach to show it after every install fulfils its purpose well. Frequent users know the warning anyway and won't even look at it. Consequently, I would not automatically add trust to custom indexes. On the other hand, for corporate setups where admins want to distribute plugins from a vetted registry should somehow have the capability to add that trust. I think a good way is to add two more index commands: Option 3 krew index trust my-index
krew index untrust my-index These commands will also give us the opportunity to print an extra-nasty warning that trusting an untrustworthy source can have bad consequences. This does increase the API surface of the cli, but the complexity is low. In contrast, interactive commands+workarounds sound much more complex. |
IMO adding commands (e.g. We currently don't know how much the users/IT admins care about this. I'll try to go to #helm chat on Slack and ask around how/if security warnings are handled. |
Well another idea is to make this fully manual like Anyway, finding out the demand for this feature is the best next step. |
I think I'm good with an implicit method (a file with trusted index list –OR– per-index sentinel file indicating trust –OR– an env var like KREW_TRUST_INDEXES) OK, so it seems like we're leaning towards:
Correct? |
Yes, I fully agree! @chriskim06 what's your take on this? |
this sounds good to me. It also seems like the simplest path going forward.
I also agree with this. I feel like providing a way to "trust" plugins/indexes could wait until people complain about excessive warnings. But I also have less experience with this than you two so would defer to your judgment on it. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/lifecycle frozen |
This hasnt moved in a while so i'd like to chime in and request initially just the ability to configure an environment variable to silence the warning. |
The problem with those knobs is that it's yet another thing to know about for the user. |
The functionality has always been to fill your terminal with a massive wall of text most of us are acutely aware of already. Adding a user defined override that has to be explicitly looked for in the docs and intentionally set to be enabled is, in my opinion, the opposite of something the user has to be aware of. I would safely assume the significant majority would never even know a toggle option became available and the functionality stays status quo |
IIRC, we decided to show the warning on updates, because plugin updates do not get vetted at all and could ship entirely different software. |
The output verbosity and its warning is a statement that currently stands for every single plugin. Showing it sometimes is the same as showing it all of the time. When krew has an official vetted repo option, the warnings would fit the purpose. When it is simply the application as a whole, it is obtrusive and repetitive. You have the option to "trust" a self signed certificate, which squelches the warning for that cert until it expires. This, essentially, is the same flow. |
Are you saying that this is not good enough?
|
Correct. Was trying to give a why and not just a "no". |
@ahmetb @chriskim06 @corneliusweig any further movement on this discussion? The log message is of little concern for users if they see it every time. Ideas:
|
I'm not a big fan of introducing prompts, but open to disabling the message on upgrades (as discussed above, it wasn't intentional to begin with), as well as choosing a softer message that would panic the users. Open to alternative message proposals. |
What about softening the message by simply removing this sentence? |
SGTM. |
Is there still no option to suppress that warning message? |
Related: #483
Currently every plugin installed/upgraded from krew-index comes with a security warning:
The reason we added this is because users must understand that they are downloading potentially unvetted binaries.
With the fact that multiple indexes are now happening, this opens several possibilities to rethink this experience, given:
Proposal 1
Trust all "custom" indexes implicitly.
default
index (i.e. krew-index) would still print installation warningsNotes:
Proposal 2
Trust "all" indexes explicitly on the first use.
Notes:
krew install < myplugins.txt
)? (Likely we'd need to fail and add a --trust/--quiet flag to install which I'm not super eager about.)/kind proposal
/area multi-index
/priority important-soon
/cc @corneliusweig
/cc @chriskim06
The text was updated successfully, but these errors were encountered: