Create bundle.md #341
Create bundle.md #341
Conversation
✅ Deploy Preview for docssigstore ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
loosebazooka
force-pushed
the
patch-2
branch
2 times, most recently
from
9384cf3
to
879f21f
Compare
A human readable bundle specification, specifically for the public good instances Co-authored-by: Hayden B <[email protected]> Signed-off-by: Appu <[email protected]>
|
fixed some formatting things |
|
Will let @steiza review, then I’ll merge |
content/en/about/bundle.md
Outdated
|
|
||
| #### Transparency Log Entries | ||
|
|
||
| One or more transparency logs entries to provide proof of inclusion in a public log and optionally a timestamp to |
There was a problem hiding this comment.
Minor: a transparency log entry isn't required for a bundle, should we say "Zero or more..." like we do below for Timestamps?
We already say above:
bundles must include at least one transparency log's signed entry timestamp or an RFC3161 timestamp
There was a problem hiding this comment.
Oh I always thought a log entry was required but you don't have to trust the log's clock (so you can ignore the SET and use the rfc3161 timestamp). Maybe requiring a log entry is only true for the public usecase?
There was a problem hiding this comment.
Log entries are not required - https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto#L105
I think we should word it that it is expected that bundles contain log entries for public consumption.
There was a problem hiding this comment.
updated this section a bit
Signed-off-by: Appu Goundan <[email protected]>
A human readable bundle specification, specifically for the public good instances
I'm not sure doing only public good is idea, but I think it removes some of the other more confusing things from the spec.
The included github attestation example is from conformance -- maybe there's a better real world example somewhere?