What:
Dovetail will provide a way to authenticate the integrity for both dovetail tool and report.
With this approach, dovetail generates a digital signature along with the plain-text report . Then the reviewer can use this signature to validate the integrity of the dovetail tool and the report.
Why:
The report in plain-text is vulnerable, can be easily modified during storage and transportation.
Reviewer needs to make sure that the report is generated by a validated tool from the release and its result can not be modified to remove a failure or something like that.
Users do not need to know or learn any details about this procedure.
How:
1. proposal for container security:
Temporary test results in container can be modified as well, we can improve this by following:
1) the upstream project to do authentication on themselves
2) setup a database, and the database is dedicated for dovetail results, people with no permit can not access the database
3) use the REST API of FUNCTEST/YARDSTICK with SSL to make sure that these results are just existing in secured transportation and saved to db, and then no one can touch them.
Remark: It is optional to upload the result to remote db. When user want to "dry run" the test, then all results will be stored locally. So it's convenient for users to adjust/modify their platform for a better result.