Concerns About Notation Plugin Tight Coupling

[jimmyraywv]

Plugin binaries used with notation libs to perform verification and revocation operations will need to be packaged within the ratify container image. This tightly couples plugin binary releases to ratify releases. This introduces a few issues:

• The difference in release cadences between ratify and plugins
• How will users get the desired plugins/versions?
• Will ratify users need to build the ratify image to get their desired plugins?
• Is there a technical solution that would lessen the tight coupling, like putting the plugin binaries into different containers, maybe wrapping the plugins with daemons?

I just wanted to start a conversation around this.

[susanshi]

@noelbundick-msft has started a walkthrough at https://github.com/noelbundick-msft/ratify-verifier-plugin, i believe the sample walkthrough copies a external built plugin into Ratify's default plugin location. Will the same steps work for you @jimmyraywv?

There is a doc issue #405 tracking official docs for plugin development