Add list of TUF implementations

[mnm678]

This list is intended to supersede the roadmap section proposed in #theupdateframework/specification#284. For now it just lists implementations, but can be extended to link to roadmaps (once they exist for projects) and other documentation

[JustinCappos]

I'd recommend we add some Uptane implementation information also.

What about the JavaScript implementation and Notary V1?

Also, should we mention there are closed source implementations we don't link to?

And should we indicate which are preferred for new adopters in some way?

[mnm678]

I added those additional implementations.

I think we should refrain from endorsing any implementation, with the possible exception of the reference implementation(s). Adding endorsements would make this list harder to maintain and put pressure on us to define specification conformance, security requirements, etc for implementations (which seems out of scope).

[JustinCappos]

I added those additional implementations.

I think we should refrain from endorsing any implementation, with the possible exception of the reference implementation(s). Adding endorsements would make this list harder to maintain and put pressure on us to define specification conformance, security requirements, etc for implementations (which seems out of scope).

In general, I'm in favor, but my understanding is that some of the TUF developers for a Go implementation would be happier to see people adopt the other option. Can you think of a sane way to handle that? (Or am I off-base?)

[mnm678]

In general, I'm in favor, but my understanding is that some of the TUF developers for a Go implementation would be happier to see people adopt the other option. Can you think of a sane way to handle that? (Or am I off-base?)

go-tuf is working on a transition to go-tuf-metadata. However, I believe the new code will eventually move into the go-tuf GitHub repository, and so the link here will remain accurate. If an implementation is no longer maintained, we could move it to a different section in this list as needed.

[jku]

A 1-2 line description for each could be really useful (especially if we want to include repository implementations like RSTUF and TUF-on-CI in the future as I think we should ):

• Is it a library or a (intended for production) application ?
• does it "implement" a client, repository or just the "wire format implementation"?

Obviously this is more work and may not stay 100% accurate but I think would still be beneficial. We could add this info in other PRs -- or open issues in the related projects so they can make PRs to describe their project