Hayden B
Hayden B
cc @kpk47
@kpk47 You haven't begun work on this yet, correct?
+1 to an offline flag! Here's a copy paste of a comment I left on a doc when we were looking into the Cosign CVE: With no flag, I'd propose...
@asraa's design doc for the Sigstore TUF client also mentioned supporting offline TUF. IIRC it was configurable how to handle expired metadata.
cc @priyawadhwa
> These are different, and we rely on them for SLSA 3 builders to demonstrate the identity of the trusted builder, the called workflow, which is distinct from the caller....
Let's get a chat going either on Slack or here, there hasn't been any progress.
Yep! I'll do a more thorough review early next week.
I think we're in agreement that the format is in a good state, sans whatever comments that arise in a final review. What's the next step @kommendorkapten? Should we begin...
Meta comment - It seems like a lot has changed since the last time I looked at it, so I'll need to do another pass. Can we avoid any more...