Summary
IsTrustedBuilder only checks user-configured trusted builders (cfg.TrustedBuilders), so callers that need to also recognize known trusted builders must separately call IsKnownTrustedBuilder(). This split makes it easy for trust checks to diverge across commands (see #2570).
Additionally, IsKnownTrustedBuilder uses exact string matching, so known builders listed without a tag (e.g. paketobuildpacks/builder-jammy-base) don't match when a specific tag is used (e.g. paketobuildpacks/builder-jammy-base:latest). IsTrustedBuilder already supports matching by repository for user-configured builders (via name.ParseReference), but this is not applied to known builders.
Some builder repositories (e.g. heroku/builder) don't publish a latest tag, so builders must be specified with a tag (e.g. pack build --builder heroku/builder:24). With exact string matching, a tagless heroku/builder entry in the known builders list wouldn't match these tagged references.
Reproduction
Steps
pack builder inspect paketobuildpacks/builder-jammy-base:latest
Current behavior
Output shows Trusted: No, because IsKnownTrustedBuilder performs an exact string match and paketobuildpacks/builder-jammy-base:latest does not equal paketobuildpacks/builder-jammy-base.
Expected behavior
A known trusted builder listed without a tag should match any tag in that repository, consistent with the behavior for user-configured trusted builders.
Proposed solution
Make IsTrustedBuilder check both known and user-configured trusted builders using name.ParseReference for consistent reference matching: entries without a tag match any tag in the repository; entries with a tag require an exact match. This removes the need for callers to separately check IsKnownTrustedBuilder().
Re: #2266 (comment) - a concern was raised that trusting by repository could implicitly trust unstable/RC tags (e.g. builder:24-rc3.dev). I verified via crane ls that all tagless known builders (the Paketo paketobuildpacks/* repositories) only publish semver version tags and latest - no RC, dev, alpha, beta, or pre-release tags exist in any of these repositories.
Environment
Presumably all versions since PR #2266 was merged (which introduced this functionality.
Summary
IsTrustedBuilderonly checks user-configured trusted builders (cfg.TrustedBuilders), so callers that need to also recognize known trusted builders must separately callIsKnownTrustedBuilder(). This split makes it easy for trust checks to diverge across commands (see #2570).Additionally,
IsKnownTrustedBuilderuses exact string matching, so known builders listed without a tag (e.g.paketobuildpacks/builder-jammy-base) don't match when a specific tag is used (e.g.paketobuildpacks/builder-jammy-base:latest).IsTrustedBuilderalready supports matching by repository for user-configured builders (vianame.ParseReference), but this is not applied to known builders.Some builder repositories (e.g.
heroku/builder) don't publish alatesttag, so builders must be specified with a tag (e.g.pack build --builder heroku/builder:24). With exact string matching, a taglessheroku/builderentry in the known builders list wouldn't match these tagged references.Reproduction
Steps
pack builder inspect paketobuildpacks/builder-jammy-base:latestCurrent behavior
Output shows
Trusted: No, becauseIsKnownTrustedBuilderperforms an exact string match andpaketobuildpacks/builder-jammy-base:latestdoes not equalpaketobuildpacks/builder-jammy-base.Expected behavior
A known trusted builder listed without a tag should match any tag in that repository, consistent with the behavior for user-configured trusted builders.
Proposed solution
Make
IsTrustedBuildercheck both known and user-configured trusted builders usingname.ParseReferencefor consistent reference matching: entries without a tag match any tag in the repository; entries with a tag require an exact match. This removes the need for callers to separately checkIsKnownTrustedBuilder().Re: #2266 (comment) - a concern was raised that trusting by repository could implicitly trust unstable/RC tags (e.g.
builder:24-rc3.dev). I verified viacrane lsthat all tagless known builders (the Paketopaketobuildpacks/*repositories) only publish semver version tags andlatest- no RC, dev, alpha, beta, or pre-release tags exist in any of these repositories.Environment
Presumably all versions since PR #2266 was merged (which introduced this functionality.