adityasaky
commented
1 week ago cc @patzielinski @flandweber @neilnaveen
Closed adityasaky closed 1 week ago
adityasaky
commented
1 week ago cc @patzielinski @flandweber @neilnaveen
neilnaveen
commented
1 week ago This makes much more sense since the verify commit cannot assure us that the ref is correctly verified, and the tags themselves are just special refs. We would have to add some code into verify-ref to handle tags for everything to work smoothly, or would we only want the basic verification we get from verify-ref? Thoughts?
flandweber
commented
1 week ago I agree. I believe the most important benefit of this change is that it makes gittuf simpler to use.
adityasaky
commented
1 week ago This makes much more sense since the verify commit cannot assure us that the ref is correctly verified, and the tags themselves are just special refs. We would have to add some code into verify-ref to handle tags for everything to work smoothly, or would we only want the basic verification we get from verify-ref? Thoughts?
We already handle tags separately via verifyTagEntry, so I think we're covered actually. I also have a change (ab1fa83bc406a4394217f0047f699e6292f3a933) coming that updates verifyTagEntry to use the verifier bits to enable attestations.
These workflows have some shortcomings, as discussed in https://github.com/gittuf/gittuf/issues/384#issuecomment-2099153472.
verify-commit doesn't currently do enough to ensure the right policy is identified for when a commit is first introduced. verify-ref, with some enhancements, is better.
verify-tag implements a subset of verify-ref already because it recognizes tags are refs. Thus, verify-ref is again a better option.
Note: this makes #431 a bit cleaner.