Joshua Lock

Per https://github.com/theupdateframework/go-tuf/pull/369#discussion_r961945970 and https://github.com/theupdateframework/go-tuf/pull/369#discussion_r962008245 we should be careful with this fix. We must add tests, fix broken tests, and above all else communicate the impact of this change well.

> Question: TUF specification only describes "Fetching a desired target". How can I discover what targets the repository signs off on though? TUF is designed under the assumption that it...

See also very relevant discussion in python-tuf https://github.com/theupdateframework/python-tuf/issues/1995

Specifically, [flynn/go-docopt](https://github.com/flynn/go-docopt) is archived and its upstream [docopt/docopt.go](https://github.com/docopt/docopt.go) has not been active for ~5 years.

> Deb downloads are a LOT faster and is more stable. I suspect that switching to the main debian CDN has something to do with that (as it is no...

Thanks for the response Peter. If I'm understanding your explanation correctly, I don't think it's quite working as you expect. If I clone your repo and run `$ bazel build...

FWIW my understanding of the Debian package archives is as follows. * deb.debian.org provides mirrors of the archives on ftp.debian.org, which host the current releases (Jessie/8, Stretch/9, and Buster/10) *...

I'd like to grab this, though it may be a a couple of weeks until I get round to it.

There's some discussion about this in a go-tuf issue https://github.com/theupdateframework/go-tuf/issues/136

I think a good place to start with this would be looking at what scaffolding Warehouse ends up building on top of the metadata API. https://github.com/pypa/warehouse/pull/7488 https://github.com/pypa/warehouse/pull/8955