Jussi Kukkonen
Jussi Kukkonen
> (from **possible fixes**): > * Whitelist python3 in tox.ini (I wouldn't do that, because we do want to use the python of the dedicated virtual environment and not any...
I think I've ended up in the same results in #1995 as awwad did here: exposing delegated roles list of targetpaths is unsafe unless each targetpath is confirmed to be...
(and just to document the current situation: ngclient does not expose the metadata to callers and does not implement `all_targets()` or `targets_of_role()` for these reasons).
something like `targets_of_role()` could still make sense with caveats: * role name can't be the sole argument -- no way to know what the delegation tree is if you do...
I've decided to just do a PR of this: * a tiny repository abstraction * example implementation of that abstraction (a in-memory ephemeral repository a bit like the one in...
There's a first draft in https://github.com/jku/python-tuf/commits/bootstrap-root-metadata -- I don't know if I'll push this further: Feel free to take this code and turn into a PR. Needs tests (at the...
Just thinking out loud here: The seeming difficulty in properly integrating IPFS (and the fact that the uses cases in the TAP seem _so_ different from each other from an...
> > What if the application that uses python-tuf just worked like this instead: > > ``` > updater = tuf.ngclient.Updater(...) > > if not updater.get_targetinfo(targetpath) > raise RuntimeError("oops, target...
This is maybe a slightly off-topic (or too high level) for this specific issue but possibly relevant so I'll write this down: There seem to be two TUF pain points...
Oh and also: I think the decisions here are also very much sigstore system level decisions: * how long can clients use key material without checking for new key material?...