kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revise download page SBoM advice 

Quote a command to avoid any risk of side-effects from a malicious BoM
Avoid a use of grep where awk can achieve the same outcome

Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
pull/32896/head
Tim Bannister 2022-04-13 10:36:37 +01:00
parent b7834e367f
commit 5866a6f690
No known key found for this signature in database
GPG Key ID: 1E76582C4F66FA48
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/en/releases/download.md
View File

@ -73,13 +73,13 @@ in SBoM (Software Bill of Materials) format.
You can fetch that list using:
```shell
curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep 'PackageName: k8s.gcr.io/' | awk '{print $2}'
curl -Ls "https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release" | awk '/PackageName: k8s.gcr.io\// {print $2}'
```
For Kubernetes v{{< skew currentVersion >}}, the only kind of code artifact that
you can verify integrity for is a container image, using the experimental
signing support.
To manually verify signed container images of Kubernetes core components, please refer to
To manually verify signed container images of Kubernetes core components, refer to
[Verify Signed Container Images](/docs/tasks/administer-cluster/verify-signed-images).