Marina Moore
Marina Moore
You are scheduled for April 24.
If you will be at the event, we are looking for unconference moderators: https://docs.google.com/spreadsheets/d/1F-YFuX8zV1O14s8wmUmlAhdY5FXUSVJslJJTe8mdvrI/edit#gid=0
We have a draft of the document available here:https://docs.google.com/document/d/1oqljWdGCXfXSwOZsU4jjOQv0qz0Gdp0Xq1jOzAiqeBw/edit. Any feedback is welcome
Blog post was published: https://www.cncf.io/blog/2024/02/14/policy-as-code-in-the-software-supply-chain/
> Would the CNS Map project help? - #551 Yes! That's one possible destination for this work
cc @Junochiu
Yes, closing as fixed in #192
> I've not reviewed properly but I'll write down some early high level worries: Thanks for taking a look! > > * we can't just change the security properties that...
The version numbers of the rotate files don't relate to the version of the metadata, but are rather used to determine the order of the rotate files in the chain...
> I understand that. The point I'm trying to make is that pinning timestamp-rotate versions is not useful because an attacker with a timestamp signing key (the one defined in...