Zack Newman

The following seem unlikely to be true at the same time: > Partly because system daemons often have minimal paths, and can't always find things. > And sometimes because people...

Such a solution would be 100% sufficient for my use case!

In the meantime, I have a very hacky workaround (for `cargo clippy`), by saving `$CARGO_HOME` from the dependencies build (there should be something better using `builtDependencies` directly but I'm getting...

Yeah, I think the default of "check that *someone* signed but not *who*" is pretty dangerous in general and I strongly support being able configure a "verification policy" (with some...

> 1. How to find what IdP to trust for the email Oof, this is really tricky and important to get right. There's [no canonical IdP for a given email](https://github.com/sigstore/fulcio/issues/639)...

> emailOnly (default) > > Only validate email matches cert. In this case, I would strongly recommend hard-coding a default `identityProviders` configuration with a small list of trusted providers like...

+1 -- in theory, if you pointed Git at (1) Fulcio's CA and (2) a RFC3161 TSA, you could *verify* Gitsign signatures with no modifications to Git, just configuration. I...

> Planning to take a look at spinning up a rfc3161 server soon. I don’t think this is blocked though, you can easily use a third party TSA, and frankly...

I'm closing in favor of #357 Thanks for kicking this off, @toby-jn 😄

See context here: https://github.com/theupdateframework/go-tuf/pull/175/files#r850775514 Those lines you've pointed out *do* set the root/targets to 1! This issue is meant to track moving that over to `NewTargets` and `NewRoot` into data.go....