Joshua Lock
Joshua Lock
I think source attestations would be generated by the source control platform? Because that platform would need to be trusted for producing attestations, we'd want to have a document similar...
I'm with the other commenters, trying to mandate merge strategy will make the source track a no-go for many (open source projects and not).
> Some of the comments could be misguided because I had a bit of trouble understanding which source of metadata is referred to in cases: e.g. steps 5.0 - 5.2...
Following the discussion at the TUF working session in Paris I've tried to update this PR to address review comments and make it mergeable as a Deferred TAP.
> > what should the pedagogical examples look like after the spec is updated per this TAP? do we continue to use JSON for file format examples? > > I...
Here's a blog post [introducing Passim](https://blogs.gnome.org/hughsie/2023/07/28/introducing-passim/). cc @adityasaky as the submitter of TAP 19.
I've converted this PR to be a draft as we don't want to merge this until it reflects the reference implementation.
Some thoughts on these questions: * **repository vs client hosted alternate top-level targets metadata** I like the suggestion to allow a client to provide a mapping to a local top-level...
Merkle tree implementations are susceptible to a second pre-image attack (see, for example, [here](https://flawed.net.nz/2018/02/21/attacking-merkle-trees-with-a-second-preimage-attack/) or [here](https://link.springer.com/chapter/10.1007%2F978-3-540-78967-3_16)). Fortunately, there is a well-known fix (as implemented in Certificate Transparency): differentiating between leaf...
Some additional issues/questions for consideration based on my final review before hitting approve: * is there a more compact format for the metadata, rather than having a `merkle_path` and `path_directions`...