Justin Cappos

You could just put the repo URL, etc. in the file name too, but I feel this is overkill. My intuition is that requiring role names to be unique to...

> > > The ID would still have to be in the filename as the first rotate file > would always have a previous file of null, so a collision...

> > Role names: > The TUF spec does not specifically forbid roles with the same role name, > but in practice it would not work as the role's metadata...

I agree and like this with the proviso that there also not be any additional rotate files that are not in the chain. A well behaving repo should cull these....

I don't know whether this makes it easier or harder, but I'm also curious how TAP 5 interacts with this... My thinking is that the root role's metadata must point...

>Aside: is there a way we could get each major stakeholder represented in our monthly community meeting? Maybe something like a steering committee would encourage people to show up. We...

I believe that one thing that not clearly said is that once a client sees a certain specification version for a repository, it should always use it (or later) in...

I need to spend some time thinking deeply about whether there are any security issues lurking here, but I appreciate the suggestion and agree we should merge these sections in....

FYI: We also will need to change the ITE repo and ensure that files in our repo have the "SPDX-License-Identifier: Community-Spec-1.0". {Note that since the CSL 1.0 in LICENSE is...

For rationale: I had a conversation with Mike Dolan from the LF and there is a good reason for us to consider using the Community License Specification for the in-toto...