-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Followups from #435 #436
Comments
Quoting from
So I'm gonna add to your TODO list :) |
SGTM, I can update my PRs so that sigstore/sigstore's |
Also fine to stick one that does consult the env var in sigstore/sigstore as long as it's not the only option. I just don't want to force that on callers. |
If more callers want to adopt the env var version, we can move that into sigstore/sigstore too, as a separate opt-in process. For now I think you've convinced me that the env var behavior is only documented for cosign, and so should stay there unless/until someone else wants it. After some of this lands I want to move more things into |
Are we concerned with breaking existing clients that may rely on this now? Hopefully folks are using TUF and not relying on the environment variables, but those were added for testing purposes. There's one for each of the TUF targets (CT log, Rekor, Fulcio), so we should probably add support for passing in the env var to a constructor (or maybe adding it to the context?) in a later PR. |
Hmm...I was gonna say "it's not documented anywhere" but that's not true. I dunno, I guess I struggle to think of a situation that this would break...cosign will continue to work, and callers of cosign will probably continue to work too if we handle the env var in cosign itself. 🤷 |
Sorry, I didn’t mention context - the PR in Sigstore/Sigstore removed the environment variable. I just wanted to confirm we plan to continue supporting the variable by adding a constructor or something. |
I agree with Zack, callers of cosign methods will continue to get the same behavior with the env var, for better or worse. If they move to the s/s equivalent (as we recommend) they won't, but I doubt they've intended to get that behavior anyway. If they need it, they can stay on the cosign version until the s/s one gets an equivalent. |
Sounds good, let’s add this as a TODO on this issue to track this. |
With #435 merged, our thoughts now turn to all the TODOs we'd left for a future date 😆 The env var issue was resolved by keeping that behavior in cosign, and the GCS dependency was snipped out before moving to sigstore. Does anybody fancy some godoc writing? 🙏 It sounds like we also need to update the root.json file now in sigstore/sigstore, but I'm not sure I understand the implications of that well enough to do it myself. |
Bumping the root doesn't need to happen right now, it just saves one or two network calls to fetch an extra root. |
Followups from #435
panic
infulcioroots.Get()
version: 3
inroot.json
(Move fulcioroots and tuf packages from cosign #435 (comment))/assign @haydentherapper
The text was updated successfully, but these errors were encountered: