go-tuf icon indicating copy to clipboard operation
go-tuf copied to clipboard

Published 20 hours ago verified publisher icon theupdateframework

Implement TAP 4: Multi-repository mappings

Open asraa opened this issue 3 years ago • 6 comments

This tracking issue is to implement TAP 4: Multiple repository consensus on entrusted targets.

To implement this, I propose creating a NEW type MultiRepositoryClient which takes a map.json file. It would expose NewClient, Init, Update, Targets, and Download similar to the existing client.

Internally, it would contain a map from repository name to existing TUF client updaters. The logic for priority and consensus would exist in the MultiRepositoryClient.

The purpose of this is to use in Sigstore's TUF client to support multiple repositories, augmenting the public root with custom, hosted, or test repositories with an AND relationship.

cc @kommendorkapten @haydentherapper

asraa avatar Aug 02 '22 16:08 asraa

hi @asraa, have you already started working on this? can I help too?

dibrinsofor avatar Aug 15 '22 14:08 dibrinsofor

Hi @dibrinsofor! Definitely take a first stab!

I would highly recommend making changes incremental, since the smaller the change the faster it will be for me to review. You can start with a package parsing map.json!

asraa avatar Aug 15 '22 14:08 asraa

@dibrinsofor any updates here? I'm going to need this for something in the next several weeks. Happy to take it over if you haven't found the time, or work together (pair program or similar).

znewman01 avatar Sep 20 '22 16:09 znewman01

@znewman01 Sure, the pair programming should work. I have been preoccupied. let me know when you'll be free to do this.

dibrinsofor avatar Sep 20 '22 22:09 dibrinsofor

I'm in US/Eastern; what TZ are you in? Shoot me an email at zjn@ and this domain and we can schedule.

I'd prefer to kick things off this week if possible—maybe Thursday 7–10am (US/Eastern), or Friday most of the day. Let me know your availability and preferred platform for screenshare (I can do Zoom or Google Meet, and will consider other platforms as well)

znewman01 avatar Sep 21 '22 01:09 znewman01

If it wouldn't be super duper awkward, I'd love to jump in and participate. I'll be happy to just observe :)

vaikas avatar Sep 21 '22 01:09 vaikas

@dibrinsofor how's it going? Anything we can help with?

I think #396 can be merged pretty soon but you need to rebase and do a couple of things.

znewman01 avatar Nov 03 '22 18:11 znewman01

This would also help Datadog simplify it's Remote Configuration implementation! @arbll

trishankatdatadog avatar Mar 01 '23 16:03 trishankatdatadog

Closing since the code base changed and go-tuf now has support for this through the multi repo package.

Thanks for raising this 👍

rdimitrov avatar Jan 31 '24 21:01 rdimitrov