Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

With this approach, dovetail generates a digital signature along with the plain-text report . Then the reviewer can use this signature to validate the integrity of the dovetail tool and the report. 

Why:

The report in plain-text is vulnerable, can be easily modified during storage and transportation.

Reviewer need needs to make sure that the report is generated by a validated tool from the release and its result can not be modified to remove a failure or something like that.

Users do not need to know or learn any details about this procedure.

How:

The whole authenticating workflow show as following:

Image Removed1. proposal for container security:

Temporary test results in container can be modified as well, we can improve this by following: 

1) the upstream project to do authentication on themselves

2) setup a database, and the database is dedicated for dovetail results, people with no permit can not access the database

3) use the REST API of FUNCTEST/YARDSTICK with SSL to make sure that these results are just existing in secured transportation and saved to db, and then no one can touch them.

 

Image Added

Remark: It is optional to upload the result to remote db. When user want to "dry run" the test, then all results will be stored locally. So it's convenient for users to adjust/modify their platform for a better result.