TAP request: artifact discovery, index files and targets metadata

[lukpueh]

The following observations have been made at several points in time by different people and might be worth an informational TAP:

• Artifact (target) discovery is not part of the TUF design, and only possible to a limited extent with TUF metadata
• Artifact discovery is a crucial feature in many content repositories, e.g.
  • download latest version of project
  • list all versions of project
• Content repositories may employ a custom search index for this purpose
• The search index must be included in targets metadata for security reasons
• If the search index is protected by targets metadata and lists additional information about artifacts, the actual artifacts may be omitted in targets metadata, and thus reduce metadata overhead.

References

• TUF and target discovery (detailed problem statement of above)
• PEP 458
• PEP 458 - Index only variant

[lukpueh]

cc @jku