Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNAB Security 304: Known implementations #288

Merged
merged 1 commit into from
May 19, 2020
Merged

CNAB Security 304: Known implementations #288

merged 1 commit into from
May 19, 2020

Conversation

radu-matei
Copy link
Member

@radu-matei radu-matei commented Oct 22, 2019
edited
Loading

depends on #280

@trishankatdatadog
Copy link
Member

Can you assign me to review? Thanks!

@radu-matei radu-matei force-pushed the 304-implementations branch 2 times, most recently from f4cbf2a to ef9d385 Compare October 22, 2019 21:13
trishankatdatadog
trishankatdatadog suggested changes Oct 22, 2019
View reviewed changes
Copy link
Member

@trishankatdatadog trishankatdatadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@radu-matei I think it's a great start! A few comments:

  1. Could we show a complete workflow? Such as setting up the metadata repository for the first time (TUF roles and keys, in-toto root layout and keys, etc). The in-toto bit should be OPTIONAL for most users.
  2. Could we use a real live registry, if possible, instead of localhost, please?

304-known-implementations.md Outdated Show resolved Hide resolved
304-known-implementations.md Outdated Show resolved Hide resolved
304-known-implementations.md Outdated Show resolved Hide resolved
304-known-implementations.md Show resolved Hide resolved
@radu-matei radu-matei mentioned this pull request Oct 22, 2019
Open
trishankatdatadog
trishankatdatadog reviewed Oct 23, 2019
View reviewed changes
304-known-implementations.md Outdated
INFO[0001] Pushed successfully, with digest "sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268"
```

- if the TUF metadata associated with a bundle also contains in-toto metadata in the `custom` object of the targets file, Signy will validate all layouts and links, and perform the verifications inside a verification image:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still an open work item for Signy.

@trishankatdatadog trishankatdatadog mentioned this pull request Oct 23, 2019
Merged
9 tasks
@trishankatdatadog
Copy link
Member

Per meeting today, Radu and I will work on a Python implementation

@technosophos technosophos added this to the CNAB Security 1.0 milestone Feb 12, 2020
@technosophos
Copy link
Member

What's the status on this? Should we review it? The last comment makes it sound like there is more work to do.

@trishankatdatadog
Copy link
Member

@technosophos As a 1.0 WD, it is fine. We are working on the Go implementation right now, so things will change in the near future :)

@trishankatdatadog trishankatdatadog removed their assignment Feb 14, 2020
trishankatdatadog
trishankatdatadog suggested changes Feb 14, 2020
View reviewed changes
Copy link
Member

@trishankatdatadog trishankatdatadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@radu-matei Can you pls make it clear it's a 1.0 WD, add it to ToC in README, and link to it from a sentence in 300?

@technosophos
Copy link
Member

Do not add the version (1.0 Draft) on this file. We just got that fixed across all files this week. Only the 300 doc needs the version string. Subsections are not independently versioned.

@trishankatdatadog
Copy link
Member

@technosophos Ooops, got it, thanks!

@trishankatdatadog
Copy link
Member

@radu-matei Bump, is there anything else we need to do for this?

@technosophos
Copy link
Member

Quick ping on this: What is left to do?

Add initial version of 304-known-implementations of the security spec
70ab70b 
Apply review feedback
Update 304 known implementations

Signed-off-by: Radu M <root@radu.sh>
@radu-matei radu-matei force-pushed the 304-implementations branch from 748496d to 70ab70b Compare April 15, 2020 05:44
silvin-lubecki
silvin-lubecki approved these changes May 13, 2020
View reviewed changes
Copy link
Contributor

@silvin-lubecki silvin-lubecki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

carolynvs
carolynvs approved these changes May 13, 2020
View reviewed changes
Copy link
Contributor

@carolynvs carolynvs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

304-known-implementations.md Show resolved Hide resolved
@carolynvs
Copy link
Contributor

@radu-matei You have two ✅ but since there was that one question of that link I'll leave it to you to time when to merge.

@radu-matei radu-matei merged commit 280bd5e into cnabio:master May 19, 2020
@radu-matei radu-matei deleted the 304-implementations branch May 19, 2020 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trishankatdatadog trishankatdatadog trishankatdatadog requested changes

@silvin-lubecki silvin-lubecki silvin-lubecki approved these changes

@carolynvs carolynvs carolynvs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
CNAB Security 1.0
Development

Successfully merging this pull request may close these issues.
5 participants
@radu-matei @trishankatdatadog @technosophos @carolynvs @silvin-lubecki