Sebastien Awwad
Sebastien Awwad
Performance is good now. Will share times later. Code looks good to me. Basic happy path tests are good. Still doing manual testing due to missing tests in conda. Ken,...
@adriendelsalle and @wolfv pointed this out, and we discussed the way forward. There's some queued work on our side to move the verifications to package selection time (presentation of final...
Current text: > This SHOULD be through a digital signature from a private key accessible only to the service generating the provenance. ' nice to know this has been highlighted...
👍 I agree w/ Trishank: almost always worth transferring history. It takes a little bit of tinkering, but it's not too bad. At this point, it could still be worth...
There are two reasons I know of to work on this: - This is currently affecting users of conda / repository infrastructure who require that all contact with the server...
Fundamentally, it should not be possible for builders / users of the build system to cause (through ... essentially whatever means fall within the threat model) a consumer of the...
I think there are two different conversations here. Preston and I are primarily concerned with the signing scenario. Existing text was written in such a way as to permit other...
@trishankatdatadog I'm finishing up rewriting `all_targets` and `targets_of_role` now (no longer deprecated 🎉). `targets_of_role` isn't really interesting, and I'm content with the way I've rewritten it (docstring [here](https://gist.github.com/awwad/90a2df14a2f4be77f6ed82582ff79f73)). There are...
You should be safe if you use no targets role delegations, but be careful to keep it that way. :)
Thanks, Patrick. There have been some changes in developer availability, so now I'm taking a look at the broader Debian packaging issue. I'll have more by tomorrow.