Who signs timestamps (and snapshot)? #7
Comments
|
I would start with assuming it's a separate process, which may also help with maintaining copies of signed data on other registries. And once we have a working system we can look at what options there may be to add that feature either directly into the registry or packaged as a service that is deployed along side the registry (e.g. the way auth with tokens is separate from the registry today). |
|
For the longer term, distribution-spec has their extensions they are looking at which gives a way to have a registry with the API's directly integrated, so as long as what we create can be later embedded into their API, I think we'll be good. Hopefully just means the signing client needs a URL for sending the updates for the snapshots, and that URL can be an external web service or something directly on the registry. |
Should registries be responsible for keeping snapshot and timestamp updated, or should these be generated externally, then uploaded to the registry? We will likely want them to be separate from the registry, and associated with the entity that owns the associated root metadata.
This issue is part of #2.
The text was updated successfully, but these errors were encountered: