asraa

How do you think we can programmatically do this? It relies on the tag being created, so maybe it can only effectively happen on the RC's? We would at some...

I think we have the same thing in mind. Once we finish creating the RC, we can also create a workflow_dispatch that runs the following 3 checks: 1. Downloads the...

I can take a look at this sometime soon -- now that we have a verifier e2e workflow it's easier for me to recreate test cases. `./cli/slsa-verifier/testdata/binary-linux-amd64-sharded` is what I'm...

Thank you both: yes, I'm well aware of convenional commit naming. I'll add a presubmit job that can enforce that, so hopefully we won't need to rely on detecting that...

Do either of you have recommendations for enforcing convenional commits? I've had a project only do it for PR title using: https://github.com/amannn/action-semantic-pull-request and seen some that check for the commit...

We currently have `ProvenanceOptions` -- we still need `BuilderOptions`

> Oh, it's not idempotent based on the same inputs? Correct, because signatures are generated during the metadata creation, so recreating the metadata would result in different bytes. > What...

> And move it to where we create the unified secret instead of doing in the server and serialize it and then unserialize it on server restart, that would also...

Yes, thanks! That would be great: even just starting with the creation of a groups.io listserve would be great. I'll be happy to file issues on various clients that want...

This is actually causing me problems in the verifier. Before the newline was removed, the targets file had 3972 bytes. Old TUF clients (before commit https://github.com/theupdateframework/go-tuf/pull/247) cannot verify metadata with...