Justin Cappos

Better guidance for clients makes sense to me. One would expect a single retry would resolve this. If a more pathological case is happening, it feels more like a repository...

I'm jumping in late here, but want to mention we're certainly moving TUF so that it doesn't require a specific format (e.g., canonical-json). TAP 7 talks about some of our...

Does it make sense to have each piece of ?root? metadata on a repo always contain a list of the other spec_versions of metadata that are available on that repo?...

> I'm still [not convinced](https://github.com/theupdateframework/taps/pull/158#issuecomment-1261325613) that there is a use case for clients dynamically choosing which major spec version they want to support. I read the linked comment. Are you...

On Fri, Feb 26, 2021 at 7:30 AM David A. Wheeler wrote: > Hi, thanks so much for your feedback! > Sure, happy to iterate and try to be more...

> (If this is not clear, please ask and I'll elaborate with an example.) Please provide an example. I understand the rest and think the snapshot role is fine for...

Can you say more about what you mean by "practically useful"? When you in-toto verify something, you use a previously validated root-of-trust to check a (potentially updated) layout file and...

Sure, TUF certainly can be used and is used in this way. There isn't any requirement to have an online connection. Updates could come by USB stick, CDROM, floppy drive,...

I would expect that in the case that this target file delegates to other target files, it would include all of the items listed there. (This would continue transitively.) It...

Do you release the file when you don't have a threshold of signatures? I mean, is it considered valid when it isn't fully signed? I would think it should not...