Joshua Lock

Nice to see an implementation of this TAP, thanks @lukpueh! I agree with the assertion that the Sigstore instance should not be hard-coded. Private deployments seem likely and we want...

Agreed that requiring >= 2 reviews, as in the specification repo, is a good idea. We don't require signed commits anywhere else, are you suggesting we should? I'm not opposed,...

Completely agree with 2FA and >=2 reviews. I'm wary about requiring signed commits, because managing GPG keys without a security token is not something I feel comfortable asking folks to...

> > What would be the value of signed commits? Would we still get that value from maintainers signing their commits? > > Although 2FA reduces the risk of unauthorized...

This is a really nicely written RFC, brilliant work Shopify team! The detailed breakdown of OIDC and OAuth2 flows in particular is really nice documentation I would love to see...

> > with regards depending on sigstore public infrastructure, have you considered whether RubyGems should run an auditor to detect malicious/compromised log operators? > > I think yes, though we...

I just discovered that GitHub now supports [tag protection rules](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules): > Only users with admin or maintain permissions in the repository will be able to create protected tags, and only...

I wonder if we could use [`git notes`](https://git-scm.com/docs/git-notes) store these in the git repository for potential long-term reference without storing them in the file tree?

I like the idea of having an action client implementers can choose to use. I think we should do that and make noise in the Sigstore client meeting so that...

This is great! I fully support the proposal to use TUF-on-CI to maintain this repository. For the keyholder audience, it would likely be useful to be able to compare the...