rdimitrov / go-tuf-metadata Goto Github PK
View Code? Open in Web Editor NEWGo implementation of The Update Framework heavily influenced by python-tuf
License: BSD 2-Clause "Simplified" License
Go implementation of The Update Framework heavily influenced by python-tuf
License: BSD 2-Clause "Simplified" License
Currently a Refresh()
can be done only once during the lifetime of an Updater.
This is not optimal for long-living processes so it would be better if we enable calling Refresh()
more than once.
References:
...
Upon calling Refresh() make sure everything is up-to-date and if that's true:
errors.Is
(less favourite)If something else occurred which failed us to refresh the metadata, still return the appropriate error value.
No response
There should be two PoCs created with go-tuf-metadata -
From my brief reading of the metadata
code, at present your library appears to make the same mistake as theupdateframework/go-tuf
in that key signing is tighly coupled to primitive and crude on-disk keyfiles.
This means that real-world secure key storage such as PKCS#11 (theupdateframework/go-tuf#427), AWS KMS (theupdateframework/go-tuf#525) and others e.g. Yubikey are not readily supported and require hacky work-around kludges to work (e.g. manually hacking json files).
Of course support for signing from local keyfiles stored on disk should remain, but integration with real world applications where the private key is stored in a non-exfilterable format should be supported.
No response
No response
API to:
crypto.PublicKey
/crypto.PrivateKey
References:
Copied from the go-tuf project. This mostly applies to a repository-side CLI, which at the end should not be part of this project's scope.
As discussed in go-tuf, something like -
e.g.
tuf-client list
prints top-level targets
tuf-client list <delegation>
prints targets for delegation
In the examples, we have to update the URL of the trusted sigstore-tuf-root GCS to the new CDN.
Currently, when constructing the URL of the target file we want to fetch we don't add the hash prefix to the target file name in case consistent snapshots is enabled, so we have to fix that.
Ref: https://theupdateframework.github.io/specification/latest/#fetch-target
Apparently codecov had an update and it started adding these file comments on a PR which are very distracting and make the review process difficult.
Let's disable this but still leave the codecov single comment in the PR showing the code coverage diff.
References:
Reference:
As of today we still pull in logrus inside library code which will then require every user of the library to pull in the same logger. This creates unnecessary dependencies for consumers of the library portion of this repo.
Make logging optional for library code and/or remove the dependency on an external logger. The cleanest way would be to follow OpenTelemetrys strategy to use logr which is merely an interface for any supported logger that can be plugged into the codebase. It supports structured logging, loglevels and most importantly if no logger is supplied also supports a no-op fallback. This would also allow to continue using logrus for non-library code as logrus can be used with this interface. Work is also under way to support the new slog
package of Go inside logr.
No response
This issue was discussed prior on the CNCF Slack, the consensus was to make logging optional and more flexible as there is no hard dependency on logrus.
The issue is about ensuring go-tuf-metadata handles concurrency safely and can be used in such environments.
Motivated by sigstore/sigstore-go#41 (comment)
In part of the examples that we run in CI and tests too we use the jku/tuf-demo repository as something to run go-tuf-metadata against.
Recently tuf-demo switched to using tuf-on-ci and so we had to reset the repository along with its metadata and target files and thus why some of the examples/tests currently fail. For example, the succinct roles are not available so far in tuf-on-ci so we should update that part of the examples that we depending on such target file.
To fix this, we have to update the tests and the examples to search and fetch a target from the latest tuf-demo repository.
Tests and examples should not fail
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.