Jussi Kukkonen
Jussi Kukkonen
> so local use-cases can come later. Thank you for letting me know now. I disagree with this but let's just get something in even if it's close to unusable...
Summarizing my requests/questions: * action output is still excessive * I still think fakeoidc should be composed if possible: this would remove `ko` and `yq` from the dependencies and should...
> The remaining issue with the "sourced shell script" design is that the error handling is now missing for most commands -- this is a common issue shared by all...
sigstore-python has added this via a `--trust-config` option that accepts a json file matching the [ClientTrustConfig](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto#L185) definition: this is a mashup of TrustedRoot and SigningConfig. While SigningConfig is not yet...
There's two cases here: 1. if root vN is invalid, the spec is IMO clear: client should not continue with N+1. There is potential to investigate whether it would be...
I think I'll close this since the main question is not under debate: > should TUF clients fail if version N is invalid but version N+1 is valid? according to...
> pip command and many github actions are not pinned by hash ### python pinning I believe no python installs are unpinned, I'd be happy to get an issue/PR for...
Hey @harshitasao, this is only slightly related ... but can you explain why we would get zero points for `Code-Review`: We do require review for every single PR. EDIT: oh...
> setting a default token permission seems like a decent idea (even if it doesn't really change the default). This is in #2684 now.
I think we've done what we want to fix here: * some actions are unpinned by choice, others have been fixed * release signing is done by https://github.com/pypa/gh-action-pypi-publish * fuzzing...