Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFD 170: Package Distribution v3 #43143

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

RFD 170: Package Distribution v3 #43143

wants to merge 5 commits into from

Conversation

fheinecke
Copy link
Contributor

@fheinecke fheinecke marked this pull request as ready for review July 25, 2024 22:05
@github-actions github-actions bot added rfd Request for Discussion size/md labels Jul 25, 2024
@github-actions github-actions bot requested review from gzdunek and strideynet July 25, 2024 22:06
@fheinecke fheinecke added the no-changelog Indicates that a PR does not require a changelog entry label Jul 25, 2024
zmb3
zmb3 reviewed Jul 31, 2024
View reviewed changes
Copy link
Collaborator

@zmb3 zmb3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have much feedback on whether Artifactory is the right choice or not. Sounds like it meets our requirements, but my past experience with it leaves me with the feeling that it is a slow, bloated, enterprise tool and not something that provides a nice developer experience.

rfd/0170-package-distribution-v3.md Outdated Show resolved Hide resolved
rfd/0170-package-distribution-v3.md Outdated Show resolved Hide resolved
rfd/0170-package-distribution-v3.md Show resolved Hide resolved
rfd/0170-package-distribution-v3.md Show resolved Hide resolved
rfd/0170-package-distribution-v3.md
Comment on lines +348 to +353
* Go modules
* We pin these currently but do not actively scan these for new/unreported
vulnerabilities
* Rust creates
* We pin these currently but do not actively scan these for new/unreported
vulnerabilities
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have GitHub's Dependabot security alerts and regular govulncheck runs, so I don't know if it's fair to say we don't actively scan for vulnerabilities.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These don't check for unreported vulnerabilities, correct? My understanding (I can ask JFrog for clarification here if desired) is that JFrog's tool will look for issues in modules that have not been discovered yet/had CVE filed for yet.

@fheinecke
Copy link
Contributor Author

but my past experience with it leaves me with the feeling that it is a slow, bloated, enterprise tool and not something that provides a nice developer experience.

Noted. When/if we demo it hosted on our own infra then I will keep this in mind. When/if I deploy a proof-of-value instance, would you like access to try it out yourself?

@gravitational gravitational deleted a comment from github-actions bot Jul 31, 2024
r0mant
r0mant reviewed Jul 31, 2024
View reviewed changes
rfd/0170-package-distribution-v3.md Outdated Show resolved Hide resolved
rfd/0170-package-distribution-v3.md Outdated Show resolved Hide resolved
rfd/0170-package-distribution-v3.md Show resolved Hide resolved
rfd/0170-package-distribution-v3.md Outdated
tools that come included with a self-hosted JFrog license. This aligns with
our high-level objective of reducing our dependence on vendor services,
despite adding a new vendor. This includes:
* Orca (SaaS service)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca we're already removing and replacing with Wiz so it's not relevant here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we already signed with Wiz? If not, would there be value in using JFrog's solution instead of Wiz, so that we don't need another vendor?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is irrelevant to this RFD, Wiz implementation is already underway. Let's just remove it from scope altogether here.

@gzdunek gzdunek removed their request for review October 9, 2024 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bernardjkim bernardjkim bernardjkim left review comments

@zmb3 zmb3 zmb3 left review comments

@r0mant r0mant r0mant left review comments

@strideynet strideynet Awaiting requested review from strideynet

@klizhentas klizhentas Awaiting requested review from klizhentas

@doggydogworld doggydogworld Awaiting requested review from doggydogworld

@camscale camscale Awaiting requested review from camscale

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
no-changelog Indicates that a PR does not require a changelog entry rfd Request for Discussion size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fheinecke @r0mant @zmb3 @bernardjkim