feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

rdimitrov · 2024-01-25T13:57:44Z

Description:

The following PR replaces the content of the existing master branch with the content of the https://github.com/rdimitrov/go-tuf-metadata.

It includes the following changes:

Created a commit which wiped out the existing content
Cherry-picked all commits from https://github.com/rdimitrov/go-tuf-metadata on top. The motivation is so we can preserve the history of both projects and also recognise the contributions made by all so far.
Switched rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2
Update the licensing to one that corresponds to the theupdateframework organisation (decided to make this in a follow up PR so we keep this one only about the migration)

What's next

Once we merge this, we'll leave some time (more than a month) before we deprecate the rdimitrov/go-tuf-metadata repository in favour of this one
Migrate all opened issues to this repository and revisit existing ones whether they still make sense or not
Migrate back things that are useful from the legacy go-tuf code - templates, code owner files, licence files, workflows?, etc.

Motivated by #485

Types of changes:

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected). Please ensure that your PR title is a Conventional Commit breaking change (with a !, as in feat!: change foo).

Description of the changes being introduced by the pull request:

Please verify and check that the pull request fulfills the following requirements:

Tests have been added for the bug fix or new feature
Docs have been added for the bug fix or new feature

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.4.4 to 1.5.0. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.4.4...v1.5.0) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](golang/crypto@v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

…framework#3) * docs: add comments describing the different types Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: add golangci and codeql Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: begin adding tests Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: add licence notice Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: update licence year to 2023 Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: fix linting error Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: temp limit ci to ubuntu so we don't waste GHA resources Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

…ateframework#76) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…amework#78) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.13.0 to 0.14.0. - [Commits](golang/sys@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…teframework#79) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

…eframework#81) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.15.0. - [Commits](golang/crypto@v0.14.0...v0.15.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

theupdateframework#82) Since TUF spec 1.0.32 the key type for ecdsa does not include the parameters, they are only part of the key-scheme. This commit updates the default keytype to not include the parameters, but includes a compatibility key type to be able to accept metadata compliant with older versions of the spec. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Ignore temporary files from emacs (ends qith '~') Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * Remove dep of go-logr/logr. Provided is an (almost) logr compatible interface. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * Remove V method from logger. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * remove unnecessary variable Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * Removed unnecessary code change Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * ran go mod tidy Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> --------- Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

…amework#85) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.14.0 to 0.15.0. - [Commits](golang/sys@v0.14.0...v0.15.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…eframework#87) * Added an unsafe method for loading the tuf metadata on disk Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * Feedback from review. Added a config parameter instead of a separate method. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * Added unit tests for unsafe local mode Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * DEBUG: remove added tests Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * comment out correct test Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * Uncommented tests cases and disabled go caching Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> --------- Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

…eframework#84) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.15.0 to 0.16.0. - [Commits](golang/crypto@v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…heupdateframework#90) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.7.5 to 1.7.6. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.7.5...v1.7.6) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…eframework#92) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.16.0 to 0.17.0. - [Commits](golang/crypto@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…heupdateframework#93) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.7.6 to 1.8.0. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.7.6...v1.8.0) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…amework#95) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.16.0. - [Commits](golang/sys@v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…eframework#96) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.17.0 to 0.18.0. - [Commits](golang/crypto@v0.17.0...v0.18.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…o-tuf/v2 Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

rdimitrov · 2024-01-25T14:17:41Z

This is what I used to copy the content and its history -

#!/bin/bash

# Retrieve all commit hashes from the first commit onwards, in chronological order
commit_hashes=$(git log source/main --reverse --format="%H")

# Cherry-pick each commit from the source repository
for commit in $commit_hashes; do
    git cherry-pick $commit
    if [ $? -ne 0 ]; then
        echo "Cherry-picking commit $commit failed."
    fi
done
echo "All commits have been successfully cherry-picked"

There were 3 merge commits (empty) that failed being cherry-picked but since they are empty ones they are not relevant
source/main is rdimitrov/go-tuf-metadata@main

kommendorkapten · 2024-01-29T08:59:41Z

So excited to see this! 🚀

kommendorkapten

Well good!

rdimitrov and others added 30 commits January 24, 2024 14:51

Remove legacy go-tuf code

b76646f

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

Initial commit

2f22f0a

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

update basic_repo.go example

e3fb769

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

Update README.md

f29347f

update example to use the placeholder repo instance

7a97b4f

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

implement verifiers for length and hash

3485d06

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

set consistent snapshots to true when init

de9cb26

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

add version check for metafiles

610ee9f

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

remove delegations object when creating targets metadata

193985a

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

use variable for custom values

f4f285b

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

fix rsa and ecdsa key type support

ad6cffe

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

implement GetRolesForTarget

1cff8e2

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

implement trusted metadata set

4dcbb08

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

tidy up code and rename repo to repository

43f8868

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

rename to go-tuf-metadata

a298a28

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

update README.md and testdata

c3b1ad4

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

proceed implementing the Updater - implement loadTargets

db83b72

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

complete the Updater implementation

4cc0bd6

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

ed25519 public key should be hex only

85d1591

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

restructure example folder

ca55d5a

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

introduce logrus and restructure file layout

ceb1ffa

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

add bsd-2 licensing

cf43183

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

Update license name so it matches the GitHub license keyword

ee8aeb4

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

add code of conduct, contributing and gitignore files

5aba429

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

update readme

aee21ad

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

fix formatting for code of conduct

e762870

Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>

Create dependabot.yml

ff78023

dependabot bot and others added 21 commits January 25, 2024 12:36

Add Trivy scan to workflow

9b8deba

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

Update README

931f74a

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

Use pinned actions

a142637

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

Enroll go-tuf-metadata to Minder and store profile

1bdd94e

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

Update the multirepo example metadata

dd861e9

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

chore: split actions to tests and linting (theupdateframework#89)

0c0a360

Move from rdimitov/go-tuf-metadata to github.com/theupdateframework/g…

082c914

…o-tuf/v2 Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

haydentherapper mentioned this pull request Jan 26, 2024

Update TUF client to support options and add LiveTrustedRoot sigstore/sigstore-go#41

Merged

3 tasks

rdimitrov self-assigned this Jan 29, 2024

kommendorkapten approved these changes Jan 29, 2024

View reviewed changes

rdimitrov added enhancement code health breaking labels Jan 29, 2024

rdimitrov merged commit 4e440e2 into theupdateframework:master Jan 29, 2024
14 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

rdimitrov commented Jan 25, 2024 •

edited

Loading

rdimitrov commented Jan 25, 2024

kommendorkapten commented Jan 29, 2024

kommendorkapten left a comment

feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

Conversation

rdimitrov commented Jan 25, 2024 • edited Loading

rdimitrov commented Jan 25, 2024

kommendorkapten commented Jan 29, 2024

kommendorkapten left a comment

Choose a reason for hiding this comment

rdimitrov commented Jan 25, 2024 •

edited

Loading