Justin Cappos
Justin Cappos
This PR needs to be discussed by the in-toto community and folks from the documentation group in the CNCF. I'd love for us to decide on this at a future...
I don't remember the content of the discussion here, but do vaguely recall a discussion a long while back. We definitely need to document it in a way that others...
I'd like to see some examples of this so we can better understand the implications. If there is an explicit ALLOW *, doesn't this mean new items can effectively always...
Offhand, I'd rather have 1) an accidental annoyance from blocking something that is caught later and rectified before the software is shipped than 2) a situation where a compromised step...
This is just my two cents, but I would see this as fitting better as an alternative carrier format. We'd love for in-toto attestations to be used everywhere (RATS included!),...
> I don't see in goals vs non-goals any statement about comparing attestations with evidence I think this is largely an artifact of how we scoped the original in-toto academic...
What if the inspections take multiple steps and do different things? For example, imagine an encrypted, compressed package. If the client must decrypt it first, then unpack, how is this...
> To be more specific: > > In case the target files of the final product are encrypted/compressed, I would expect the last step of the supply chain, e.g. a...
I don't think this is out of scope. It's certainly possible to make an attestation that some process passed or failed and have it relate to that functionary's beliefs. From...