-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cleanup for TUF code #1935
Comments
FYI, just to make sure you're aware, but there's this PR moving much of the code sigstore/sigstore: |
One AI for tracking: Clean up the |
Another one: testing verification failure and TUF object closure #1932 (comment) /~https://github.com/sigstore/cosign/runs/6643745610?check_suite_focus=true
This seems to happen after the job rejection, and now currently passes after the ordering was switched, and retrieving the alt key happens before Line 393 in e7bcb69
DONE: #1953 |
Cleanup |
I’m going to review 1921 today. i would prefer we not submit 1932 without more discussion. |
Another one: Cleanup the configurable remote /~https://github.com/sigstore/cosign/pull/1921/files#r882887941 |
Load all targets into memory at initialize to save time reading/writing to disk: #1921 (comment) DONE: #1953 |
One more: Initialize CheckOpts for verification material with TUF, do not invoke our TUF client inside library functions. This will make it infinitely easier to test. |
Asra, thanks for your hard work here, it's looking good 😄 Is this actually closed? |
Re-opening, the remaining items are:
|
I think the consolidate Rekor pub overrides has been done as well as 'Set RekorPubs in CheckOpts'. I'm curious however about the need for this to be a singleton, especially since it is a library, it being a singleton makes some things more interesting. I know there's work going on with TAP-4 in the upstream, but in the meantime, if this were not a singleton, a user could create two instances of the TUF client, and now that the checkopts can be passed the keys independent of the TUF (TUF fetches, they are then passed to CheckOpts), I can't think of a reason for this being a singleton, but wouldn't be the first time I'm wrong :) |
To fix #1899 @asraa submitted #1921. @vaikas stepped in to help with tests and adapted it to #1932. This appears to fix the bug, and I approved it because this has been blocking the Cosign release for more than a week (the new release contains #1894 which we should get out ASAP).
But #1921 contains some good suggestions for cleaning up that code; we should definitely do a bunch of them. It's important that this code be clear and testable.
CC @haydentherapper
The text was updated successfully, but these errors were encountered: