Jussi Kukkonen
Jussi Kukkonen
after the two PRs currently open we might be pretty much done... "FA" might still be nice but I think that should be done by refactoring the code base to...
I think I'll close this as complete and open a new one about using ruff with "ALL" (excluding the ones we don't want)
Thanks for writing this down. I will have a look at the PR by tomorrow. We had a TUF maintainer meeting in kubecon last week and discussed this area. The...
I'll also copy-paste my definition of the use-case -- I believe this is inline with what you wrote in the original description: * I do not have network connection, but...
Note that in the above description, if the application always uses "offline mode" after downloading for the first time, metadata never gets updated after that... So application is now left...
Yeah I could easily be convinced to always respect expiry: it's definitely the part that makes me most vary of this... It should be noted that the way sigstore clients...
Ok, have spent a little more time with this. There's a thread on sigstore slack (https://sigstore.slack.com/archives/C024FPJKC6L/p1694691208834919) but documenting some technical details here: * I think allowing expired metadata has some...
Documented my thinking here: https://docs.google.com/document/d/1IEVxgCsmLJNiAwdTFQ4aMvmGHJikmI_iOEHGpt8fIe8/edit?usp=sharing Main takeaway: I don't think a user option "--offline" in sigstore or other TUF using app makes sense unless we also allow expired metadata --...
I have a untested branch of offline (non-expiry-respecting) mode in https://github.com/theupdateframework/python-tuf/compare/develop...jku:python-tuf:offline-mode -- It's based on the work in the existing PR and I think it looks complete now but next...
The suggestion has a lot of merit... The issue is that * python-tuf should also be usable in apps that do not want cryptography * python packaging, as I understand...