Achieve Decision: Do we need to validate signatures from staging in parallel?

[lasomethingsomething]

Dependent on #1129 and some other issues

Objective

• Answer this question: "Should we promote images that weren't built by a Google Cloud Build (hosted and tamper-proof build system) job triggered by Prow?"
• In the future, SIG uses the conclusion to plan future work.

Tasks to achieve the objective

By 1-3 contributors:

• Do research on the topic
• Answer questions posed by the group, such as:
  - Maybe a reconciliation job that handles this as a regular CI task would work?
  - Pushing one image from staging into one production registry would be the minimal amount. Could we minimize even further?
• To the previous point, actively collect additional questions as part of your research phase
• Prepare a brief (1-2 pages max) proposal evaluating pros, cons, and tradeoffs
• Share proposal with SIG (mailing list, Slack thread, at community meeting)

By the SIG/group:

• SIG members provide input on findings/raise questions
• After a timeboxed review period (to be determined), SIG members regroup to make a decision
• Log decision for community awareness
• Plan next steps

Context and things to think about while working on this task

• This relates to potential work to make the image promoter less monolithic
• This points to the workflow steps "Validating signatures from staging in parallel" and "Pushing each image digest from staging into every mirror location"
• We currently also sign things in parallel

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[xmudrii]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[xmudrii]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[xmudrii]

/remove-lifecycle stale