Erick Tryzelaar

Hello! We've fixed this in git. We're in the middle of a pretty large radical refactor, where we've migrated to futures, and made rust-tuf more compliant with the TUF-1.0 spec....

Hello @cavokz! I'd appreciate any help. I've started sketching out some ideas, but haven't gotten too far yet. Here's roughly the API I think we could use: ```rust let staging...

(note I'm filing this and a bunch more tickets to capture some work I'm planning on submitting in the next week or so).

Here is the relevant section of the spec: > 1.4. Check for a rollback attack. The version number of the trusted root metadata file (version N) must be less than...

Hi @andrewjstone! You are welcome of course to want to move at your pace and turn all this down :) As I was starting to go through the code, it...

I've started experimenting with the tool [bikeshed](https://github.com/tabatkins/bikeshed), which is the tool whatwg and a few other standards committees use for their specs. I made some slight format changes to the...

Since it’s now optional for us to have the hashes of the metadata, do you still think this optimization is safe if we don’t have hashes? The metadata signatures should...

> The snapshot role contains the version of all of the targets metadata files (top-level or delegated). So in this case, I think you may mean to say snapshot file...

FYI I started exploring this in #226. > I have wondered that too. I think I've seen "signs metadata for" in some TUF diagrams. If we find a good term,...

note that we don't want to just assume local metadata is trusted, and instead want to validate it's properly signed and not manipulated by a local attacker (see https://github.com/theupdateframework/specification/issues/107)