[Bug] Architecture proposal - Having public HTTPS endpoint that exposes our server manifest won't be secure at all #499
Replies: 2 comments 1 reply
-
|
You can read more about the vision for this project here: https://github.com/modelcontextprotocol/registry/blob/main/docs/explanations/ecosystem-vision.md The short answer is that we didn't set out to solve the full stack of concerns for private registries (our focus is public MCP servers, with a secondary goal of standardizing shapes used internally as well), but would welcome involvement from folks motivated to evolve the project in that direction to see if we can figure something out. |
Beta Was this translation helpful? Give feedback.
-
|
I'm working on this PR: Hope it can get reviewed and considered, from IAG(International Airlines Group) we have been actively working into secure our MCP environment it would be a pleasure to contribute to the standard implementation |
Beta Was this translation helpful? Give feedback.
-
could I have some kindly review? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
We've been directly talking with github people but they havent been able to solve our concerns or doubts, they've send this article to us 'explaining how to setup an internal MCP registry':
https://docs.github.com/en/enterprise-cloud@latest/copilot/how-tos/administer-copilot/configure-mcp-server-access#example-registry-format
https://github.blog/changelog/2025-09-16-github-mcp-registry-the-fastest-way-to-discover-ai-tools/
And the second article is what brought me to open a bug here. I'm still worndering why do we need to add all this manifests and how authentication was going to be managed inside this ecosystem, but when solving my questions I realized of how limiting is that recipient in comparison of what we used to have...
1st question that comes to my mind: Why dont you use already existing registry technologies? Github has GHCR.io for example, what we have implemened is a way to import, scan and wrap any mcp coming from any source and put them all into a unified source, but this unified source is GHCR and as far as I can see this won't be compatible with the new registry tech that you are defining...
I saw that there is already a PR to cover GHCR compatibility: #393
Seems that its still missing automated authentication for private and internal registries and also would be nice no make Copilot agent pull the images and execute them when connecting to a private registry manifest, is it planned to be implemented?
Beta Was this translation helpful? Give feedback.
All reactions