Closed jas4711 closed 1 month ago
haydentherapper
commented
1 month ago We are in the process of working on a v2 API for Rekor. Given the TUF Rekor target and TUF verifier are barely used, we will be removing them in v2. Clients can upload TUF metadata by canonicalizing it into a hash and uploading it as a hashedrekord type, and for signature verification, providing the public key.
Given we will be removing these due to very low usage, we won’t be updating the existing type.
haydentherapper
commented
1 month ago Did you have a use case for this type? If so, let’s chat more and see how you can use hashedrekord entries instead.
jas4711
commented
1 month ago I have no use-case for TUF in rekor! I am just trying to get rekor to build. Dropping the TUF v0 dependency completely is a perfectly fine solution.
haydentherapper
commented
1 month ago Perfect! Removing a specific type and verifier should be fine to do if you're running a private instance. Let me know if you have any other questions.
Hi!
I'm working on rekor packaging in Debian, and due to other packages we would like to upgrade TUF (github.com/theupdateframework/go-tuf) from v0 to v2 and rekor is one of two packages still using the old interface. The v0.7 branch is deprecated, see:
https://github.com/theupdateframework/go-tuf#history---legacy-go-tuf-vs-go-tufv2
This is a issue to request that you update the code to TUF v2. Is this possible? Any reason not to?