trishankatdatadog
commented
4 years ago He probably does. I'll wait for him to say what he'd like to see.
Closed trishankatdatadog closed 4 years ago
trishankatdatadog
commented
4 years ago He probably does. I'll wait for him to say what he'd like to see.
trishankatdatadog
commented
4 years ago The example approaches given based on TAP 4 seem to require a willingness on the part of vendors to support metadata repositories other than their own or to agree to share a meta metadata repository. This then begs the same question: how does a vendor establish trust in a shared repository?
Hi Glyn, sorry, I don't fully understand. Does the following paragraph not answer the Q?
Trust for different metadata repositories with different roots of trust can be established out-of-band using an approach like TAP 4. For example, a bundle runtime could be shipped with known good copies of TUF
rootmetadata for different repositories, or there could even be a meta metadata repository that distributes theserootmetadata. How to establish whether arootmetadata file is trustworthy is out of the scope of this document.
Are you asking specifically how do we trust a root metadata file at all?
glyn
commented
4 years ago The example approaches given based on TAP 4 seem to require a willingness on the part of vendors to support metadata repositories other than their own or to agree to share a meta metadata repository. This then begs the same question: how does a vendor establish trust in a shared repository?
Hi Glyn, sorry, I don't fully understand. Does the following paragraph not answer the Q?
I don't think so.
Trust for different metadata repositories with different roots of trust can be established out-of-band using an approach like TAP 4. For example, a bundle runtime could be shipped with known good copies of TUF
rootmetadata for different repositories, or there could even be a meta metadata repository that distributes theserootmetadata. How to establish whether arootmetadata file is trustworthy is out of the scope of this document.Are you asking specifically how do we trust a
rootmetadata file at all?
Perhaps, if that is essentially the same thing as establishing trust in a metadata repository. Pardon my ignorance...
trishankatdatadog
commented
4 years ago Perhaps, if that is essentially the same thing as establishing trust in a metadata repository. Pardon my ignorance...
Not a problem. Shall we discuss this in the Security / Registry meeting next week, so that I am super clear about what you mean? Thanks!
trishankatdatadog
commented
4 years ago I have added this action item to the meeting agenda...
glyn
commented
4 years ago @trishankatdatadog Unfortunately my Wednesday evenings are currently spoken for, so I can't attend the meeting. Happy to chat some other time though. Maybe grab me on slack?
trishankatdatadog
commented
4 years ago @glyn @jlegrone @radu-matei Are we good to go?
trishankatdatadog
commented
4 years ago @glyn @radu-matei so should we merge, or?
technosophos
commented
4 years ago I believe this is good to go now. @radu-matei if you agree, can you merge?
radu-matei
commented
4 years ago Yeah, this only needs a rebase on top of master and we can merge.
trishankatdatadog
commented
4 years ago @radu-matei @technosophos I have rebased. Thanks very much!
An attempt to fix #314