transparency-exchange-api icon indicating copy to clipboard operation
transparency-exchange-api copied to clipboard
Published 2 months ago verified publisher icon CycloneDX

TEA release staging and releasing

Open matglas opened this issue 6 months ago • 0 comments

During a community meeting we discussed the technology that might be used for staging a release and then releasing it. In this context the use of TUF (The Update Framework) could be very valuable.

TUF allows us to do have delegated roles for signing artifacts. The power of TUF is in the way it establishes a trust root with signing delegations and allowing you to rotate keys if an artifact becomes compromised and should be retracted.

  • https://theupdateframework.io/

  • Must watch video on TUF and security artifact distribution. https://www.youtube.com/watch?v=lIYXVIPsk_U

  • There is a broad scope in adoption for TUF as a technology.

  • https://theupdateframework.io/community/adoptions/

Using TUF should be an optional choice for providers probably.

matglas avatar Jun 04 '25 14:06 matglas