Jussi Kukkonen
Jussi Kukkonen
@dependabot recreate
I assume this is about practical compatibility with different repositories? I think the easiest way to implement this is through #649: repository implementations can add their test data into the...
> `tuf-js/vx.y npm-cli/vx.y` a detail but I would suggest ` npm-cli/x.y tuf-js/x.y` (or just `npm-cli/x.y`) * most important component first * no v-prefix for version number
An attempt was made but: * sigstore-rs does not support signing in GitHub Actions so we need to test verify only and use a bundle made by another client *...
> yubico provides a web page https://www.yubico.com/genuine/ and tools (ykman piv keys attest 9c -) to do parts of this Note to future me, what we are looking to verify...
Python lgtm and the rekor v2 types seem to work fine. I'm not going to promise that for rust (looks fine but Im no expert and have not tested)
Can I get a short explanation for the use cases: > Support for Timestamp Protocol verification vs > This field is planned for removal ([ [targets v11] What to do...
I'll close this as complete: we now include timestamps in bundles and with rekorv2 those are actually required for valid bundles (this will be released as 4.0)
My hunch is option 1 is not awful for reasons William listed. > Is it OK to continue to rely on the deprecated library? Are there features missing from the...
This wasn't updated since June so it's clearly time: * the keyid issue was fixed in root-signing-staging in july * **there is still an upcoming compatibility issue with root-signing** *...