Closed davidweisse closed 3 months ago
I'm still confused by this change. If we have a manifest we trust, then we also already audited the policies referenced in this manifest. Why should we still write all the files on disk then and ask the user to audit it again?
The set
command does not unpack the policies, so it is somewhat convenient to get them through verify
. But I agree that we should not ask the user to audit them.
The
set
command does not unpack the policies, so it is somewhat convenient to get them throughverify
. But I agree that we should not ask the user to audit them.
Remember those two calls are (potentially) called from different entities! The data owner still has to review both the manifest and the policies. If the result of the verify should be "you definitely can trust this Coordinator, and no further steps are required" then we must assume the policies were also communicated out of band and the data owner already verified them (so there is no reason to output them). I think we should keep the output of files and state even more clear to the data owner what to do.
The
verify
command already takes the manifest file as an input. Onverify
, the CLI will now check if the local manifest matches the active manifest on the Coordinator.