Aditya Sirish
Aditya Sirish
@dependabot rebase
I think it's preferable to fix this by directly using the proto. I know @marcelamelara was interested in getting this done too, unfortunately I've been a little swamped. @marcelamelara do...
I'll try and tag a release tomorrow. There are a couple pending updates etc we should probably merge as well, I'll check if someone has a few to take a...
We've discussed making the in-toto specification more agnostic to the signing key algorithms, mechanisms, and so on. Inherently, there's nothing locking us into one algorithm / mechanism or another, it's...
> Hey @adityasaky, a question, should we also register this project to [OpenSSF Best practice](https://www.bestpractices.dev/en/projects). I'm not sure. We have in-toto/in-toto registered already. We ought to reevaluate this in the...
I like the ideas here, is the plan to take this all the way through signing the statement using dsse as well?
Hi @anotherbridge, this is caused because the first time you ran verification, it created some artifacts (it untar-ed the archive and created link metadata for the inspection). Subsequent verification attempts...
Good catch, @anotherbridge! Here's why this is happening: https://github.com/in-toto/in-toto/blob/fbc1eb053dd39c6d1fb307a60bd2c781e667c931/in_toto/settings.py#L39 The Python implementation automatically excludes recording certain artifacts which the Go implementation does not. @lukpueh and @shibumi, do we add these...
Great! I'm going to edit this ticket to record exactly why this is happening.
I'm actually less sure if we should patch it here or in in-toto-python. IMO the default excludes is not immediately obvious and potentially unexpected behaviour to a newcomer. @lukpueh WDYT?