Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add list of TUF implementations #4

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add list of TUF implementations #4

wants to merge 4 commits into from

Conversation

mnm678
Copy link
Contributor

@mnm678 mnm678 commented Jul 7, 2023

This list is intended to supersede the roadmap section proposed in #theupdateframework/specification#284. For now it just lists implementations, but can be extended to link to roadmaps (once they exist for projects) and other documentation

@mnm678 mnm678 mentioned this pull request Jul 7, 2023
Closed
@JustinCappos
Copy link
Member

I'd recommend we add some Uptane implementation information also.

What about the JavaScript implementation and Notary V1?

Also, should we mention there are closed source implementations we don't link to?

And should we indicate which are preferred for new adopters in some way?

@mnm678
Mention closed source implementations
dbcc093 
Signed-off-by: Marina Moore <[email protected]>
@mnm678
Add tuf-js and TUF variants
b2a2003 
Signed-off-by: Marina Moore <[email protected]>
@mnm678
Add Notary
a93ecc0 
Signed-off-by: Marina Moore <[email protected]>
@mnm678
Copy link
Contributor Author

mnm678 commented Jul 7, 2023

I added those additional implementations.

I think we should refrain from endorsing any implementation, with the possible exception of the reference implementation(s). Adding endorsements would make this list harder to maintain and put pressure on us to define specification conformance, security requirements, etc for implementations (which seems out of scope).

@JustinCappos
Copy link
Member

I added those additional implementations.

I think we should refrain from endorsing any implementation, with the possible exception of the reference implementation(s). Adding endorsements would make this list harder to maintain and put pressure on us to define specification conformance, security requirements, etc for implementations (which seems out of scope).

In general, I'm in favor, but my understanding is that some of the TUF developers for a Go implementation would be happier to see people adopt the other option. Can you think of a sane way to handle that? (Or am I off-base?)

@mnm678
Copy link
Contributor Author

mnm678 commented Jul 11, 2023

In general, I'm in favor, but my understanding is that some of the TUF developers for a Go implementation would be happier to see people adopt the other option. Can you think of a sane way to handle that? (Or am I off-base?)

go-tuf is working on a transition to go-tuf-metadata. However, I believe the new code will eventually move into the go-tuf GitHub repository, and so the link here will remain accurate. If an implementation is no longer maintained, we could move it to a different section in this list as needed.

@jku
Copy link
Member

jku commented Jul 16, 2023
edited
Loading

A 1-2 line description for each could be really useful (especially if we want to include repository implementations like RSTUF and TUF-on-CI in the future as I think we should ):

  • Is it a library or a (intended for production) application ?
  • does it "implement" a client, repository or just the "wire format implementation"?

Obviously this is more work and may not stay 100% accurate but I think would still be beneficial. We could add this info in other PRs -- or open issues in the related projects so they can make PRs to describe their project

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mnm678 @JustinCappos @jku