What comes before v1.0? #21
Comments
|
FYI: I just tagged v0.1.0 -- https://github.com/secure-systems-lab/signing-spec/releases/tag/v0.1.0 |
|
Do we have working prototypes somewhere, especially one to support Google's use case, and another to support our Canonical JSON? That would be the only thing that would really convince me, not endless specifications. |
|
I suggest creating a GitHub milestone for this. (If you add me as an editor in the project, I'd be happy to set that up for you.) I filed #28 for the reference implementation. |
|
I've created the milestone and added #28 to it. |
I don't know if this is a "reference" implementation, but we have "an" implementation here: https://github.com/in-toto/in-toto-golang/blob/master/pkg/ssl/sign.go |
|
I propose that the following are the only blockers:
Once we have done these three, we tag it as 1.0. Any objections? |
|
How much do were care about #27? There's already an implementation that uses the already defined PAE. I'm fine either way, I just want to make sure this is actually a good use of time. |
|
IMO it's valuable since it significantly simplifies the implementation and is an easy change to make. |
|
SGTM |
|
I chatted offline with @MarkLodato on the possibility to use a simpler encoding for the envelope part too: that would prevent recipients from using a full-blown json parser on untrusted input. But it's yet more work to make this change and may not best use of time at this stage. |
|
It's 1.0 now! |
With these requirements addressed in the current draft of the signing-spec, it's likely time to discuss what needs to be addressed before we're ready to tag v1.0. Achieving stability in the spec would enable us to work on the adoption in-spec in ITE-5 / TAP-TBD, and in-code via work on signing-spec implementations.
The text was updated successfully, but these errors were encountered: