Skip to content

Move TAP 8 to accepted#187

Merged
mnm678 merged 3 commits intotheupdateframework:masterfrom
mnm678:tap8-acceptance
Apr 15, 2024
Merged

Move TAP 8 to accepted#187
mnm678 merged 3 commits intotheupdateframework:masterfrom
mnm678:tap8-acceptance

Conversation

@mnm678
Copy link
Contributor

@mnm678 mnm678 commented Mar 26, 2024

No description provided.

mnm678 added 2 commits March 26, 2024 08:55
@mnm678
Remove remaining references to revocation and add implementation
27e2159 
revocation has been moved ot TAP 20.

Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
Move TAP 8 to accepted
041c2d9 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678 mnm678 mentioned this pull request Apr 9, 2024
Merged
@mnm678 mnm678 requested review from jkjell and lukpueh April 11, 2024 13:30
jkjell
jkjell reviewed Apr 11, 2024
View reviewed changes
Copy link
Contributor

@jkjell jkjell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I'm not sure if an optional/conditional client workflow is typically documented but, I asked for my own knowledge at least. 😅

lukpueh
lukpueh previously approved these changes Apr 12, 2024
View reviewed changes
Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

I must say though that I don't quite understand the sections about TAP 4 and TAP 3: Half of the TAP 4 section talks about mirrors, which are not related to TAP 4, and the other half is a bit vague ("repository manager must ensure that they have the same set of trusted keys after all rotations" ... who are they and why?). And the section about TAP 3 seems to describe the same rotation process as without TAP 3. Or am I missing something?

Either way, I don't think these two sections should block the TAP. The basic idea sounds reasonable to me.

Unfortunately, the POC seems outdated, but IIUC the official (and lived) TAP process does not required a full implementation before the final status.

@mnm678
Apply suggestions from code review
7e3d4da 
Co-authored-by: John Kjell <john@testifysec.com>
Signed-off-by: Marina Moore <mnm678@users.noreply.github.com>
@mnm678
Copy link
Contributor Author

mnm678 commented Apr 15, 2024

Thanks for the reviews @lukpueh @jkjell! I pushed a suggested change, which dismissed the reviews. If you could re-approve this should be good to go.

@lukpueh The TAP 3 process is basically the same, that section is just describing the compatibility.

@trishankatdatadog
Copy link
Contributor

trishankatdatadog commented Apr 15, 2024

Thanks all for moving this long-outstanding TAP fwd.

I can't speak for @jku, but we have some reservations about the complexity this TAP adds, although we understand the value it could add to OSS package registries like PyPI, so we probably weren't the best people to review it.

Thanks again!

@mnm678 mnm678 merged commit 683cc5d into theupdateframework:master Apr 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkjell jkjell jkjell approved these changes

@lukpueh lukpueh lukpueh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mnm678 @trishankatdatadog @jkjell @lukpueh