Jussi Kukkonen
Jussi Kukkonen
> Hello, I have set up the environment and was trying out your suggestion about setting up `version = tuf.__version__`. How do I test this? I mentioned this a few...
You don't mention what changed so I don't know... but if docs build from 'develop' does not include the version and a build with your change does, then that seems...
I'm reopening: The change seems fine but readthedocs does something on their end that hides this change https://theupdateframework.readthedocs.io/en/latest/index.html I think we can still try using the version in the actual...
> I still think that we should try to review Tier 2 releases. We don't pin dependencies for our users yet, but if a release of a dependency breaks our...
This is actually more relevant and actionable now with Dependabot groups: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups -- it allows us to document the policy AND make the computer do most of the work. We...
I think we should have this. sigstore-python would definitely use it.
More thoughts: * This is also related to #1168 -- if we don't trust the client artifact cache, then we should also not have an API that allows for artifact...
I guess I should update current thinking on this. I think exposing the metadata to clients as described has security implications that may mean this is not a good idea....
Linking to my rough branch so it doesn't get lost: https://github.com/jku/python-tuf/commits/list-targets * needs tests * the delegated roles metadata (or even role name) is never exposed to client application in...
I think this might not be massively useful in this project anymore -- with all of the test improvements in the past 18 months we're now down to < 2...