Track verified states locally

[adityasaky]

Add a description

gittuf does not currently track prior instances of successful verification for branches. For example, if the main branch is verified up to commit A and commits B and C are added, gittuf verification verifies up to commit A again. We should explore how to record locally only that the gittuf client verified up to commit A successfully to indicate that the next instance of the verification workflow can start from that point onwards. In doing so, we must consider how this list of "verified states" could be manipulated by an attacker depending on where they're stored.

Relevant log output if the discussion pertains to existing gittuf functionality

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[JustinCappos]

Right. I agree having a local cache of such information is sensible.

In my view, so long as we end up with a solution that does not introduce any vulnerabilities / issues regardless of the repository / other user behavior, this is a positive.

One other thing we may want to consider is that a user may want to receive this information from another device for some reason. I think a sensible reason for doing so is when a user moves to a new laptop, they may not want to redo all of the checking for each of their repos. While this may happen naturally if they copy all file system state over, it may not happen in other cases. It could also (in theory) be the case that for a large repo like the Linux kernel, one decides to go from some later verification point which has been validated by a very large number of people you trust. (I'm not arguing this is a good model in all cases, I'm just saying that people will want this to happen, I think.)