Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNAB Security 304: Known implementations #288

Merged
merged 1 commit into from
May 19, 2020
Merged

CNAB Security 304: Known implementations #288

merged 1 commit into from
May 19, 2020

Conversation

radu-matei
Copy link
Member

@radu-matei radu-matei commented Oct 22, 2019
edited

depends on #280

@trishankatdatadog
Copy link
Member

Can you assign me to review? Thanks!

@radu-matei radu-matei force-pushed the 304-implementations branch 2 times, most recently from f4cbf2a to ef9d385 Compare October 22, 2019 21:13
trishankatdatadog
trishankatdatadog suggested changes Oct 22, 2019
View reviewed changes
Copy link
Member

@trishankatdatadog trishankatdatadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@radu-matei I think it's a great start! A few comments:

  1. Could we show a complete workflow? Such as setting up the metadata repository for the first time (TUF roles and keys, in-toto root layout and keys, etc). The in-toto bit should be OPTIONAL for most users.
  2. Could we use a real live registry, if possible, instead of localhost, please?

304-known-implementations.md Outdated Show resolved Hide resolved
304-known-implementations.md Outdated Show resolved Hide resolved
304-known-implementations.md Outdated Show resolved Hide resolved
304-known-implementations.md Show resolved Hide resolved
@radu-matei radu-matei mentioned this pull request Oct 22, 2019
Open
trishankatdatadog
trishankatdatadog reviewed Oct 23, 2019
View reviewed changes
304-known-implementations.md Outdated
INFO[0001] Pushed successfully, with digest "sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268"
```

- if the TUF metadata associated with a bundle also contains in-toto metadata in the `custom` object of the targets file, Signy will validate all layouts and links, and perform the verifications inside a verification image:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still an open work item for Signy.

@trishankatdatadog trishankatdatadog mentioned this pull request Oct 23, 2019
Merged
9 tasks
@trishankatdatadog
Copy link
Member

Per meeting today, Radu and I will work on a Python implementation

@technosophos technosophos added this to the CNAB Security 1.0 milestone Feb 12, 2020
@technosophos
Copy link
Member

What's the status on this? Should we review it? The last comment makes it sound like there is more work to do.

@trishankatdatadog
Copy link
Member

@technosophos As a 1.0 WD, it is fine. We are working on the Go implementation right now, so things will change in the near future :)

@trishankatdatadog trishankatdatadog removed their assignment Feb 14, 2020
trishankatdatadog
trishankatdatadog suggested changes Feb 14, 2020
View reviewed changes
Copy link
Member

@trishankatdatadog trishankatdatadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@radu-matei Can you pls make it clear it's a 1.0 WD, add it to ToC in README, and link to it from a sentence in 300?

@technosophos
Copy link
Member

Do not add the version (1.0 Draft) on this file. We just got that fixed across all files this week. Only the 300 doc needs the version string. Subsections are not independently versioned.

@trishankatdatadog
Copy link
Member

@technosophos Ooops, got it, thanks!

@trishankatdatadog
Copy link
Member

@radu-matei Bump, is there anything else we need to do for this?

@technosophos
Copy link
Member

Quick ping on this: What is left to do?

Add initial version of 304-known-implementations of the security spec
70ab70b 
Apply review feedback
Update 304 known implementations

Signed-off-by: Radu M <root@radu.sh>
silvin-lubecki
silvin-lubecki approved these changes May 13, 2020
View reviewed changes
Copy link
Contributor

@silvin-lubecki silvin-lubecki left a comment