Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keeping private artifacts separate #6

Open
mnm678 opened this issue Sep 3, 2021 · 2 comments
Open

Keeping private artifacts separate #6

mnm678 opened this issue Sep 3, 2021 · 2 comments

Comments

@mnm678
Copy link
Contributor

mnm678 commented Sep 3, 2021

TUF needs to ensure that some artifacts and metadata are private. This means that these artifacts should not be included in externally available snapshot metadata.

This issue is part of #2

@mnm678
Copy link
Contributor Author

mnm678 commented Sep 3, 2021

This issue may be as simple as allowing users to opt-out of snapshot for private repositories. Or, we can let private repositories have their own snapshot metadata.

@justincormack
Copy link
Contributor

The main requirement is that we should never disclose even the existence of private content to people not authorized to access it. This may mean that each differing set of permissions needs its own snapshots and metadata in general. As permissions are set at repo level, this is why Notary v1 ended up having a TUF root for each repository, despite the fact that caused other issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants