Glossary

Plain-English definitions for the acronyms and jargon that show up across Flareo's docs, tools, and status pages.

Canary rebuild

Flareo's daily CI job that rebuilds every module from upstream source, regardless of whether upstream shipped a new version. Catches silent dependency breakage, lets us pick up upstream bug fixes within a day, and ensures every module in the catalog has a recent signature.

Content-addressable

An addressing scheme where the name of a thing is derived from its content. sha256:abc... is content-addressable; :latest is not. Content-addressable addresses can't be silently replaced — if the content changes, the address changes.

Cosign

The Sigstore CLI tool for signing and verifying container images and other artifacts. What we use to produce our signatures and what you use to verify them. brew install cosign or see docs.sigstore.dev/cosign/installation.

Digest

The sha256 hash of an OCI manifest. Sometimes called the "image ID" in Docker UX. Every unique image has exactly one digest. Tags point at digests and can be moved; digests cannot.

Fulcio

Sigstore's certificate authority. Issues short-lived (~10 minutes) signing certificates based on OIDC identity. The CA that underwrites every Flareo signature.

Keyless signing

Code signing without a long-lived private key. Instead, a signer authenticates to Fulcio with an OIDC token, gets a short-lived certificate, uses it to sign, and the certificate expires. Relies on the Rekor transparency log to preserve timestamped proof that the signature was valid when made.

Module

In Flareo, a container image we rebuild, sign, and publish. Identified by a slug like vaultwarden. 12 modules in the catalog for the closed beta.

OCI image

An image following the Open Container Initiative standards. Docker images are OCI images. So are cosign signature manifests. So is everything else that speaks the container registry protocol.

OIDC

OpenID Connect. A standard for identity providers (GitHub, Google, etc.) to mint verifiable tokens about a user's identity. Flareo's builds authenticate to Fulcio using GitHub Actions' OIDC tokens, which is how the signatures end up attributable to https://github.com/flareo/....

Rebuild

A new build of an existing module, usually triggered by an upstream version bump or by our daily canary schedule. Each rebuild gets a fresh signature and a new Rekor log entry.

Rekor

Sigstore's transparency log. An append-only Merkle tree of every signature Sigstore has issued. Signatures stay verifiable forever by looking up their inclusion proof, even after the signing certificate has expired.

SBOM

Software Bill of Materials. A structured list of every package, library, and file that went into a build. Flareo publishes a CycloneDX SBOM for every image.

Sigstore

The Sigstore project: a collection of open-source tools and public infrastructure for signing, verifying, and logging software artifacts. Umbrella for Fulcio (CA), Rekor (transparency log), cosign (CLI), and the trust root.

SLSA

Supply-chain Levels for Software Artifacts. A framework for describing how trustworthy a build is, ranging from L0 (nothing guaranteed) to L4 (hermetic, two-party reviewed, reproducible builds). Flareo is at SLSA L2 today: automated builds with signed provenance. L3 requires job isolation we haven't invested in yet.