Flag `--plain-http` didn't explicitly remind users the insecure connection to registries

[yizha1]

What is the areas you experience the issue in?

Notation CLI

What is not working as expected?

The flag --plain-http allows notation commands to establish an insecure connection to registries, which is implicit to users. This could be a security risk if users connect to an insecure registry.

This flag exists for the following commands:

• notation sign
• notation verify
• notation list
• notation inspect
• notation login

What did you expect to happen?

Update the description of the flag to explicitly inform users that this flag allows insecure connection to registries. for example:

--plain-http Use HTTP protocol while connecting to registries. Use it only for testing purposes.

How can we reproduce it?

Run help command

Describe your environment

WSL

What is the version of your Notation CLI or Notation Library?

v1.0.0-rc.3

[patrickzheng200]

I will take this one.

[yizha1]

Thanks @patrickzheng200, I updated the expectation section to keep the flag, but update the descriptions

[yizha1]

@toddysm do you have any comments on the updated description:

--plain-http Use HTTP protocol while connecting to registries. Use it only for testing purposes.

[toddysm]

I believe @patrickzheng200 wrote a spec where we completely remove the --plain-http flag. Adding too many flags clutters the UX and confuses the users.

@patrickzheng200 please link the spec to this issue.