LFX: Add TUF project for Term 01 #1340
Conversation
cc @jku, @JustinCappos Signed-off-by: Lukas Puehringer <[email protected]>
There was a problem hiding this comment.
Hi @lukpueh, thanks for this!
Usually we ask that there be more than one mentor per project, but as that's labelled TBD I'll approve this PR as a work in progress (we can make updates later if needed -- even into the application phase).
|
|
||
| A suitable visual representation of this trust hierarchy makes TUF's security properties more accessible to end-users, and, more importantly, allows metadata signers to carefully review metadata changes before signing them. | ||
|
|
||
| In this project you will, together with your mentor and the TUF community, identify requirements for the visualization of a TUF metadata repository and build a corresponding web app. |
There was a problem hiding this comment.
Something I forgot when we we discussed this: I think the focus on "web app" is probably correct (considering the need to make the proposal tangible)...
That said, one of the difficulties in tuf-on-ci has been that there are two use cases with different technical limitations:
- We want the repository state (who the signers are, when will signatures expire, what are the current artifact hashes) to be highly visible to the community: A website makes sense here even if it sidesteps some TUF security protections
- But we also want the signers to only trust the information given by their signing tool (code running on their machine): they should not make decisions based on content of a website. Currently signing tools are all command line apps
If there's a way to improve both use cases, that would be great.
|
@lukpueh, I think the upstream issue may be incorrect as it's closed. Sorry i didn't catch this earlier, could you open a follow up PR to this with the correct Upstream issue? |
cc @jku, @JustinCappos