Joshua Lock
Joshua Lock
Good discussion here, thank you all. I think we should indeed address both: a) adding guidance about retries to the client workflow b) capturing repository publishing recommendations (atomic/single transaction OR...
The legacy client in the reference implementation keeps a `set()` of visited role names and skips any role name (node) that it has visited before. See [`_preorder_depth_first_walk()`](https://github.com/theupdateframework/tuf/blob/8e9677d2620c937e3a64e5420e7386f2464f26bd/tuf/client/updater.py#L2641) in tuf/client/updater.py.
Thank you for the detailed issue @raphaelgavache! Apologies all for the noise of the drive-by comment earlier, I wanted to some implementation examples and submitted before the comment was complete....
Thank you for the eagle eyed review. Apologies for not catching these when the changes were originally submitted. > **Details per role** > > * For _root_ there actually are...
Java/Maven (see also #594)
We could include details of the virtual-environment in the materials, but that's hard to link to in an [immutable way](https://github.com/actions/virtual-environments/discussions/5483).
I'd very much like to have a Maven/Gradle builder! I did start looking into this but got very distracted, apologies. I don't think we should put provenance _in_ the jar...
> > I'm also curious about the "not evaluated as part of policy" phrasing in the provenance format spec too. We are capturing some fields which could provide valuable input...
Thanks for taking the time to write up the rationale. Mulling this over, but it feels like we should leave as-is.