Making TUF work on registies

[mnm678]

This issue collects the sub-issues that are needed to deploy TUF on registries. Some of these are addressed in the [proposed design], but require some validation, others will require some more design work.

• Accessing TUF metadata on a registry #3 Registries are not filesystems, they are content-addressed storage. This affects artifacts and metadata in a registry will be accessed, and requires some reframing/adjustments to the TUF workflow
• Signing multiple versions #4 What does it mean for artifacts to be current? Unlike in many package managers, a new version does not necessarily replace the old version, so TUF needs to account for multiple valid versions of an artifact.
• Scaling timestamp and snapshot #5 Snapshot metadata needs to scale to the registry, and may be inconsistent with the moment-to-moment state of a registry
• Keeping private artifacts separate #6 TUF needs to ensure that some artifacts and metadata are private
• Who signs timestamps (and snapshot)? #7 Who signs timestamps (and snapshot)?
• Moving artifacts between registries #8 Artifacts need to move between registries

@justincormack @NiazFK @sudo-bmitch @gokarnm @SteveLasker may have other items for this list

[trishankatdatadog]

We also need to think about how containers can keep state for the metadata/targets cache. Sometimes containers are nuked and have to respawned all over again. AFAIK, storage can be a tricky thing on containerized environments.

[SteveLasker]

While containers are thought of as stateless, and while CI/CD systems use containers to create ephemeral clients to have a fresh state, the problem isn't really about containers.
Any secure environment should start from a clean state. Containers happen to be good tools to that approach.

So, I'd suggest it's not about keeping state on a client. Rather, can we have a means to store "state" in a trustable, restorable location? This way each time an instance is spun up, it can restore some reference that can be compared.

This is essentially the two keys required to launch the missle approach.