Joshua Lock

Yes, we should update root before we fetch and verify timestamp. We need to better define how often Sigstore clients should run the TUF client workflow, would be good to...

There is a risk, yes. If we update the TUF metadata, whether due to a scheduled root update or a proactive rotation of a compromised key, then a cosign client...

Would (mustache) templating be a good solution? https://mustache.github.io/mustache.5.html

I think this is a smart move. Let's not rush delegations in, let's take the time to do them right. Targeting v6 sounds good to me!

Thanks for the suggestion! Better mypy/typing integration alone seems worth the effort.

cc @adityasaky

I'd be happy to file a PR adding a markdown file to the repo with these links in.

> * [SLSA provenance (v0.2)](https://slsa.dev/provenance/v0.2) – designed to describe how a subject artefact was produced, with several opaque fields to be defined by buildType: `invocation.parameters`, `invocation.environment` and `buildConfig` > >...

I agree it would be great to be able to validate provenance against the spec. I'm not familiar with json-schema.org but it does seem to be popular among colleagues faced...

> That makes sense to me. One thing that could be clarified is what scope each of those statements apply to. The scope in Gossamer is a versioned release (see...