Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Implement DSSE bridge?
See original GitHub issueThe fact that TUF metadata contains the non-canonical form of the payload is a known issue (see https://github.com/secure-systems-lab/dsse for future plans).
While we wait for the spec to evolve, I wonder if we should implement a sort of bridge API between DSSE and current TUF Metadata? Metadata.to_dsse_bytes() / Metadata.from_dsse_bytes() or something.
This would allow e.g. a repository to require the admin/developer upload API to use DSSE (allowing the repository to never parse large amounts of unverified json) while still allowing both the admin tools and the actual published repository to work with current TUF metadata and current python-tuf API.
Issue Analytics
- State:
- Created a year ago
- Comments:14 (12 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
the advantage of using canonical JSON as the signed content in the DSSE would have been that you could go from DSSE to current TUF metadata without resigning anything (which would be useful to avoid that parsing-unsigned-unsafe-data issue)… but Lukas is likely right that this is just not possible as “canonical JSON” is not actually JSON and we can’t parse it as JSON 🤦
So likely we just want to close this issue as wishful thinking … but if you have any new ideas feel free to expand
My plan is to finalize https://github.com/in-toto/in-toto/pull/503, and see if the same approach can be used for python-tuf.