Jussi Kukkonen
Jussi Kukkonen
> > What I mean is: I believe we only care whether _metadata is signed by the current threshold of keys_. It it is not, it should not be used...
> So IIUC you mean if no m_t of k_t exists in m_{t+n} of k_{t+n}, then delete previous timestamp/snapshots/targets metadata. I have to admit I don't understand what that means......
> it would break existing implementations right now and render them spec-uncompliant. After looking at some example data, I don't quite get this: the existing implementations are non-compliant right now,...
I'll add my findings about using rolenames and targetpaths as parts of filenames from https://github.com/theupdateframework/tuf/issues/1527: * Using arbitrary strings (urls, paths, whatever) as rolenames is a feature and we should...
In addition (not sure if this is another issue as it's not strictly about compromise), I don't think the key rotation strategies are spelled out anywhere: * root rotation typically...
After implementing both client and some repo side tools, I still ask the question in the title... Even though all my work has been completely based on normal files, I've...
> I'd certainly defer to @trishankatdatadog and @mnm678 here, but I my current understanding is in agreement with the ngclient authors conclusion (and yours, I believe, @raphaelgavache) that we should...
This section also lacks specificity WRT URLs: it only talks about "filenames" but both client and server have to do url parsing because of the way the HASH is being...
> `--cert-identity github:foo/bar \ ` > (Where github: is a psuedo-type that expands to something like uri:https://github.com/foo/bar/...) Just to be sure we're on the same page: The "github identity" is...
> my understanding is/was that you could only run a repository's workflow by triggering one of the workflow's own events, not an event on your own repository I think you're...