Add references to TAP 13 (once it is accepted)

[pattivacek]

We are removing references to TAP 5, which has been more or less replaced by TAP 13, but TAP 13 isn't approved yet. Once it is, we should restore and rework some of that text.

[jhdalek55]

@trishankatdatadog @mnm678 @JustinCappos what is the current status of TAP 13? Do you think it will be accepted before our June deadline for V.1.2.0? If not, we should change the milestone on this issue.

[JustinCappos]

I think it's plausible. Let's see. The Notary V2 effort (and possibly Python community too) will help debug this for us.

On Sat, Mar 13, 2021 at 12:19 AM Lois Anne DeLong @.***> wrote:

@trishankatdatadog https://github.com/trishankatdatadog @mnm678 https://github.com/mnm678 @JustinCappos https://github.com/JustinCappos what is the current status of TAP 13? Do you think it will be accepted before our June deadline for V.1.2.0? If not, we should change the milestone on this issue.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/uptane/uptane-standard/issues/198#issuecomment-797596121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD4E7SIVVCEQLKI5RCDTDIWJHANCNFSM4USEJEOA .

[plapczyn]

Per 2021-04-27 Uptane meeting, we think it should be plausible to release TAP 13 before the 1.2.0 Uptane release. @mnm678 to add to next TUF meeting agenda.

[jhdalek55]

@JustinCappos @mnm678 should we still anticipate this as a 1.2.0 issue?

[jhdalek55]

During the 5/25 Uptane Standards meeting it was decided we would re-label this for V.2.0.0. Though there has been some progress on TAP 13, it likely will require a little more time before approval.

[jhdalek55]

I can't change the milestone. Can someone update this for 2.0.0?

[jhdalek55]

Thanks, Marina.

[jhdalek55]

TAP 13 has been approved as a draft as of 11-3-21. Is this sufficient acceptance to reference it in Uptane? Or, should we wait until it has been approved and merged? @JustinCappos @tkfu @trishankatdatadog @iramcdonald...what are your thoughts?

[mnm678]

We should wait until it's approved. Some of the implementation details might change, so Uptane implementers should probably wait to implement until acceptance.

[jhdalek55]

Thanks @mnm678. That makes sense.

[jhdalek55]

Since this issue cannot be resolved at this time, can we make a new label, perhaps PENDING, for issues like this for which cannot say when they answered? I would prefer we did not leave issues like this (#162 #198) labeled "2.0.0" on the repo as it gives the appearance that we did not completed these on-time. Failing that can we leave it posted without a version label at all?

[jhdalek55]

This is still waiting for TUF approval of TAP 13.

[jhdalek55]

I'm pasting in the original references to TAP 5 that were removed. In all these cases, the reference to TAP was taken out, but nothing was substituted. Given that TAP 13 has probably changed a bit over the past three years, would it still be a relevant reference? If not, do we need to bother with this at all, or could we just close this issue?

5.2.2. Root metadata: "If this mapping of URLs is used, the implementer SHOULD implement this functionality following [TAP-5] to avoid adding unforeseen security risks."

5.2.4. Snapshot metadata: "The Snapshot metadata MAY also list the Root metadata filename and version number. This is not required, particularly for implementations of [TAP-5], but MAY be included in all cases for backward compatibility."

5.4.4.2. Full verification: "If [TAP-5] is supported and a Primary has an external connection to the Uptane repositories, a Primary ECU SHALL download metadata and images following the rules specified in that TAP."

[JustinCappos]

@mnm678 Is the right person to look at this, I think.

[mnm678]

TAP 13 only allows mapping for targets files, so isn't relevant in the 5.2.4 case at all.

In general, I think we could just close this until someone requests this feature specifically for Uptane. TAP 13 will work with Uptane, but I think we can leave it out of the standard until there's a need for it.

[jhdalek55]

It mnkes sense to me as well to close it, at least for now. Let's leave leave the PR open maybe for a week or so for any dissenting opinions, and then this we'll close it.

[jhdalek55]

@mnm678 can you close this, per the decision at the 11/22 Standards meeting? There have been no objections over the past 10 days so I think we're good to go.

[jhdalek55]

Thanks, @mnm678 .