Marina Moore
Marina Moore
Not sure how to determine if a key is present locally.
This sounds like a great idea! If I understand correctly it could also improve security for first time downloaders who do not yet have trusted metadata. That being said, we...
I agree with @lukpueh. This paragraph is referring just to the file, not the base url and path used to find the file. There might be a place to clarify...
> From simulating the code on this graph in my head, I _think_ my tuf-on-a-plane [code](https://github.com/trishankatdatadog/tuf-on-a-plane/blob/ee8049a63ea439d72509f6e876eef08fb50c6ab1/src/tuf_on_a_plane/repository.py#L319-L403) would correctly not explore E, but would incorrectly explore F. I read it the...
The spec states that > A terminating delegation for a package causes any further statements about a package that are not made by the delegated party or its descendants to...
I opened #74 to address the first two points you made and clarify what rotation means in this context, please review/comment. I will leave the last point to @lukpueh in...
> IIUC it should be enough, if the client only deletes the trusted timestamp, when any of timestamp, snapshot or targets had a threshold of keys removed via root. Because...
@lukpueh That makes sense. It adds a few extra steps to the fast-forward recovery, but I think having rollback protection outside of just the timestamp roll is important.
A [changelog](https://github.com/uptane/deployment-considerations/blob/master/changelog.md) has worked well for the Uptane Standard. It could be partially automated by using pr or commit names as a starting point.