This is a modifed version of the workflow from the project itself:
* Not using personal access tokens because I believe they are a
security issue (this means Branch-Protection check will be incorrect)
* Not uploading results to actions cache: Maybe there's a point but I
don't see it as the SARIF files are not very human readable
This should give us some code scanning alerts in the security tab on Github.
This is not really what I'm interested in though so I've enabled the upload
to https://api.securityscorecards.dev/. The results json on there is not
exactly readable but it is good enough to check what the current results
are -- and deps.dev should use those results after some delay I believe.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
There may be ways to unsafely use the client library but situation
should be significantly better now with ngclient:
* metadata writing is safer, more atomic
* non-root cached metadata is never trusted (so inconsistent
cached repository is not a security issue)
* the cache locations are now clearly application
decisions (they are required Updater constructor args)
Move the notice to Updater module documentation.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Change docs in preparation of close v1.0.0 release.
- Remove important notice about upcoming 1.0.0 release from README
- Reword 1.0.0-ANNOUNCEMENT.md to not sound outdated after release
Co-authored-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Update README.md#Acknowledgements
- Reword to acknowledge maintainer contributions as well
- Remove names that are mentioned in maintainers document
- Remove duplicate Konstantin Andrianov
Santiago Torres-Arias, Sebastien Awwad, Trishank Kuppusamy,
Vladimir Diaz)
- Add new significant contributors
(Ivana Atanasova, Kairo de Araujo, Martin Vrachev)
Remove unmaintained AUTHORS.txt, which lists many individuals and
organisations that are/were not affiliated with 'python-tuf', but
other projects in the TUF ecosystem (Thandy, Notary, etc.) and
thus is not suited for this repository.
-> theupdateframework.io#38
Caveats:
- Significant contributors means top ~20 committers sorted by
commit count (`git shortlog -s`).
- The Acknowledgements section might miss significant contributors,
if they contributed by other means than git commits in this repo.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
- Add generic opening sentence that says what TUF actually does.
- Add link to #tuf channel on CNCF slack to contact section
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The URL was referring to an older workflow name which lead to a badge
that no longer updates based on CI results. This commit also changes to
using "actions/workflows/FILENAME/badge.svg" as current documentation
suggests.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
The code examples now have a simple README.md. This commit simplifies
the README.md examples to the example folder instead of listing each
example.
Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
This commit fixes the relatives links on README.md, adding absolute
links.
The PyPI renders the README.md as an HTML page on the landing page
of the python-tuf package. If the links are not absolute links to
the files in git repository, they will fail.
Fixes: #1739
Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
* ngclient and Metadata API are production ready: start with them, then
mention legacy
* link to API reference instead of code
* link to examples instead of (legacy) getting started document
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
* Add a document that announces a stable "modern
implementation"-only 1.0.0 release, with the following contents:
- the scheduled release date
- contents of release (metadata API, ngclient, no legacy code)
- legacy code deprecation note (adr 2)
- note about lack of repository tool (adr 10)
- migration instructions
* Add "important notice" to head of main README, pointing to above
document.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The Dependabot status badge no longer works, since having
migrated from stand-alone to GitHub native in #1258.
The issue is tracked upstream in dependabot/dependabot-core#1912.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
A recent commit reinstates publishing of coverage data to
coveralls.io. This commit re-adds the corresponding badge which
was temporarily removed in #1242.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The newly add GitHub workflow, which replaces Travis and Appveyor
does not support publishing coverage (coveralls) and license
(fossa) data yet (formerly done by Travis).
This commit removes the corresponding badges from README. It shall
be reverted once coveralls and fossa are re-enabled.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Replace mentions of travis/appveyor with GitHub Actions in
governance (contribution) and readme (badges) documents.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Update badge URL in readme after migrating from travis-ci.org to
travis-ci.com, due to brownout on the former.
Migration was performed via Travis Web UI:
https://docs.travis-ci.com/user/migrate/open-source-repository-migration
NOTE: This is a quick fix to speed up Travis builds until we switch
to GitHub Actions (#1195)
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The PyUp GitHub integration for TUF stopped working a few days
ago. Instead of troubleshooting, I'm seizing the opportunity to
replace it with Dependabot, which has shown to work well in the
in-toto org.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
at the very top of the README.
and:
- note that this implementation is intended to conform to version
1.0 of the TUF specification
- draw some distinctions between the TUF design and this ref impl.
- turn the older blurb about TUF into an About-TUF section
- expand that blurb with a link to both an introduction in the repo
and the TUF website
- make the documentation links a bit more explicit
- shuffle some graphical elements for better appeal
- minor changes like extending some link text
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
