Jussi Kukkonen
Jussi Kukkonen
Good point, stuff like this would make the docs much better. I believe any change to published _signed_ metadata should lead to version bump: otherwise clients can't know when they...
I'll write down the details for pip specifically as an example (like it currently works in my WIP branch): * every pip installation includes a bootstrap root.json. In some cases...
I think this changes nothing from the above descriptions, but just for the record: When the installed pip gets upgraded, the bootstrap metadata may change -- in an extreme case...
> The added metadata may make the initial install much larger, but it might be useful in some cases. The point about rollback protection is good... but I think including...
The original issue (chaining root trust from bootstrap root.json) should now be fairly easy to implement in ngclient: * Updater should take the bootstrap root file (or bytes?) as optional...
Yes, if dependabot won't do this for us then maybe should add Yet Another Recurring GH Action that runs `pip-compile requirements.txt` and, if the results are not equal to requirements-pinned.txt,...
The tricky detail here (for automation) is different python versions: our current requirements-pinned.txt does not have different requirements but the requirements-test-pinned.txt in the linked PR does. I think the only...
Higher-level question (answer may be "let's handle in another issue"): Are we happy with the level of usefulness of these hashed bin examples? What I mean is that a basic...
I wonder if lukas is around next week? Could get his opinion on the general direction these scripts should be going to... but this PR looks good to me, I...
> @jku are there any particular issues you want me to file? well no, this is just me asking again _Are we happy with the level of usefulness of these...