Aditya Sirish

timestamps in the debug messages may be a small blocker for that? Perhaps this is a good time to pretty that up as well, though I think it's low priority...

Can we make hashes deterministic by controlling the author/committer details (including the time) and signing with an ed25519 key? You can pin those details using env vars.

@lukpueh could you take a look and approve if this is good to go? thanks!

Thanks @patzielinski!

Blocked by #376, #379, #380.

We'll be using go-git regardless, it's fantastic for verifying signatures, signing test commits on the fly, etc. I don't know what the value prop of a gittuf API is still,...

(I've marked the windows test as continue-on-error, it doesn't actually pass yet)

How do we guarantee that an entry doesn't point to an older policy? We walk back the RSL entry by entry to get the assurance we indeed have the most...

To add, walking back entry by entry also guarantees the RSL is indeed linear.

> Would there be a way to have a cache at every step of the RSL that tells us the latest state of the policy and attestations while also being...