Jussi Kukkonen
Jussi Kukkonen
I'm writing down some observations on the TAP process as relative newcomer here, as promised in the community meeting: The TAP process seems useful: the requirement for a design document...
Hi root-signing contributors and interested bystanders, @kommendorkapten and I have been working on [TUF-on-CI](https://github.com/theupdateframework/tuf-on-ci) for the past few months -- it's a more "productized" TUF signing system that works on...
**Description** Clients embed a version of root metadata as the initial source of trust into their client apps and typically into their source code repos. They should also update that...
It is difficult to see what is currently available in prod and preprod, compared to git content -- and difficult to see if their current state is a result of...
User agent set in tuf/ngclient/_internal/requests_fetcher.py is `tuf/5.0.0` -- this looks good but I think should be `python-tuf/5.0.0` instead as it should identify the complete project when visible in an access...
libyami-utils fails to build with "--disable-x11". It does build with "--disable-x11 --disable-tests-gles". Tested on 1.1.0 release only (on Yocto if that matters). Here's the failure: ``` | In file included...
It would be useful to cache TUF metadata and the downloaded artifacts: * less downloading is better for everyone * cached metadata is slightly more secure In practice this would...
``` message Signature { // Signature itself. (In JSON, this is encoded as base64.) // REQUIRED. bytes sig = 1; // *Unauthenticated* hint identifying which public key was used. //...
https://github.com/astral-sh/uv currently fails to install protobuf-specs: https://github.com/theupdateframework/tuf-on-ci/issues/205 * uv does not accept pre-releases without an explicit `--prerelease=allow` * this project depends on betterproto 2.0.0b6 It's been about four years since...
WRT keyids, we currently say this: > **4.2. File formats: general principles** > KEYID: The identifier of the key signing the ROLE object, which is a hexdigest of the SHA-256...