Remix clone Hacker News

new | show | ask | jobs Github

	▲	westurner 7 hours ago
		Notes for solvers in this space; Fedora recently moved to managing packages in Forgejo, a fork of Gitea and Gogs, a clone of the old GitHub UI. https://news.ycombinator.com/item?id=45670055 Forgejo has an artifact registry for DEBs, RPMs, APKs,; and a Container Registry for OCI Containers. Any type of artifact can be stored in an OCI container image registry. Any type of artifact can be signed/attested to with a short-lived signing key from sigstore.dev's or a self-hosted Rekor instance Native container tools like bootc store host system images as a OCI container images. From https://news.ycombinator.com/item?id=44991636 : > bootc-image-builder, ublue-os/image-template, ublue-os/akmods, ublue-os/toolboxes w/ quadlets and systemd There are streaming container standards to boot containers that haven't finished downloading yet, and container shapshot artifacts too; Seekable OCI, eStargz, Nydus: https://news.ycombinator.com/item?id=45270468 ... Forgejo can mirror git repos regularly or manually. "Tell HN: GitHub will delete your private repo if you lose access to the original" re: `git clone --mirror` https://news.ycombinator.com/item?id=34603593 Python Packaging User Guide > Package index mirrors and caches > Existing projects: https://packaging.python.org/en/latest/guides/index-mirrors-... > [ Cache, Mirror, Proxy ] > [ mod_cache_disk (Apache), nginx_pypi_cache, pulp-python, ] Pulp (RedHat,) mirrors and proxies a number of different types of packages. https://github.com/pulp pulp_container, pulp_ostree, pulp_ansible, pulp_rpm, pulp_deb, pulp_npm, pulp_maven, pulp_r pulp-operator for HA SPOF with k8s: https://github.com/pulp/pulp-operator From https://news.ycombinator.com/item?id=44320936 re: cosign, Sigstore, TUF, SLSA; you have to pass this to get docker to check container image signatures `DOCKER_CONTENT_TRUST=1` .. - integrate with Forgejo - mirror git repos - consider pulp's modular approach and deployment operator - consider OCI for future packaging formats - What SLSA recommends; check TUF, Sigstores, Trusted Publisher (OIDC) and GPG .asc signatures And then also content-addressable networking might avoid some of the overhead and wasteful redundancy to checking the hash of each file in each signed package manifest.