Closed trishankatdatadog closed 4 years ago
He probably does. I'll wait for him to say what he'd like to see.
The example approaches given based on TAP 4 seem to require a willingness on the part of vendors to support metadata repositories other than their own or to agree to share a meta metadata repository. This then begs the same question: how does a vendor establish trust in a shared repository?
Hi Glyn, sorry, I don't fully understand. Does the following paragraph not answer the Q?
Trust for different metadata repositories with different roots of trust can be established out-of-band using an approach like TAP 4. For example, a bundle runtime could be shipped with known good copies of TUF
root
metadata for different repositories, or there could even be a meta metadata repository that distributes theseroot
metadata. How to establish whether aroot
metadata file is trustworthy is out of the scope of this document.
Are you asking specifically how do we trust a root
metadata file at all?
The example approaches given based on TAP 4 seem to require a willingness on the part of vendors to support metadata repositories other than their own or to agree to share a meta metadata repository. This then begs the same question: how does a vendor establish trust in a shared repository?
Hi Glyn, sorry, I don't fully understand. Does the following paragraph not answer the Q?
I don't think so.
Trust for different metadata repositories with different roots of trust can be established out-of-band using an approach like TAP 4. For example, a bundle runtime could be shipped with known good copies of TUF
root
metadata for different repositories, or there could even be a meta metadata repository that distributes theseroot
metadata. How to establish whether aroot
metadata file is trustworthy is out of the scope of this document.Are you asking specifically how do we trust a
root
metadata file at all?
Perhaps, if that is essentially the same thing as establishing trust in a metadata repository. Pardon my ignorance...
Perhaps, if that is essentially the same thing as establishing trust in a metadata repository. Pardon my ignorance...
Not a problem. Shall we discuss this in the Security / Registry meeting next week, so that I am super clear about what you mean? Thanks!
I have added this action item to the meeting agenda...
@trishankatdatadog Unfortunately my Wednesday evenings are currently spoken for, so I can't attend the meeting. Happy to chat some other time though. Maybe grab me on slack?
@glyn @jlegrone @radu-matei Are we good to go?
@glyn @radu-matei so should we merge, or?
I believe this is good to go now. @radu-matei if you agree, can you merge?
Yeah, this only needs a rebase on top of master
and we can merge.
@radu-matei @technosophos I have rebased. Thanks very much!
An attempt to fix #314