Hayden B

The design of witnesses and distributors differs in that witnesses are not addressable (distributors are) and there's not a O(N^2) fanout requiring every witnesses to gossip with other witnesses, which...

Would https://github.com/theupdateframework/rust-tuf be usable for the TUF integration rather than https://github.com/sigstore/sigstore-rs/tree/main/src/tuf?

Is there DSSE support? At a quick glance, I see references to the intoto type. Ideally we would migrate to uploading DSSE rekor entries.

@jleightcap - https://github.com/sigstore/sigstore-rs/issues/274#issuecomment-1698701976 mentioned the use of the AWS TUF library, I don't think this is a blocker unless AWS is not actively supporting the library.

A few implementation notes: * We likely can support both TUF clients concurrently without a flag. We may be able to use the same cache folder too, needs confirmation. *...

Another implementation note, as per https://github.com/sigstore/sigstore-go/issues/38, we can now initialize multiple clients for different repositories each with its own local cache, which covers the use case of verifying against multiple...

I think building a [claimant model](https://github.com/google/trillian/blob/master/docs/claimantmodel/CoreModel.md) would help to convince us if this adds value. Who are the actors that will consume the entries in the log? As the OIDC...

I want to pushback a little because while logs aren’t too hard to spin up, they are harder to maintain and create an ecosystem around them with witnessing and monitoring....

Also we should not change the current origins, so we'll need to make this configurable per shard.

From the Rekor side, there's a few open issues related to rpm support: * The RPM Go library is mostly unmaintained and currently uses a deprecated openpgp library (more details...