Justin Cappos

nb +1. This is long overdue!!!

So what would the behavior be in this case then?

What if you don't want to match subdirectories? Is that use case important? On Wed, Feb 28, 2024 at 2:00 PM Aditya Sirish ***@***.***> wrote: > I think fnmatch would...

So in my view, gittuf verification is more likely to happen on the developer machines and eventually at the repository. CI system, etc. verification is useful, but isn't the primary...

expiry is mostly for freeze attack prevention and is mostly used to detect timestamp being replayed or on other top level roles to prevent an attack where the repo +...

I think this is a good topic for discussion in the community meeting...

Okay, let me think a bit about this. If you can think of other use cases (e.g., should the creator of the file also have the ability to define the...

With that PEP, we assume a pattern of the repo holding an online key and use it to directly sign projects so the users don't need to. Are you thinking...

You can think instead that when someone delegates to you that they state what (possibly sub-)part of the namespace they are giving you rights on. So the root keys (which...

In general, the snapshot doesn't allow the removal of a targets role / metadata file, but does control which versions are available and trusted. (This is similar, but not identical...