-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decide on a deprecation strategy for migrating the code to a new Go-based TUF implementation - rdimitrov/go-tuf-metadata #485
Comments
As long as we finally get more flexible key support, including PKCS#11 (#427) and other options (#525), maybe even Yubikeys then you've got my +1 @rdimitrov 😉 Also strikes me as sensible to aim to kill the dependency on |
As far as I know the new code base only uses the For Yubikeys it should just be a matter of talking to the Yubikey PIV and use PKCS11, could also be done by using an outside tool to get the crypto token and feed it into stdin maybe? |
@MDr164 Thanks for the reply. If |
The current/older code base also uses the lib for the EDIT: And for the issue you linked I suppose the idea is to have specialized implementations of crypto algorithms not inside the go-tuf repository but rather in the securesystemslib though I would also prefer to use stdlib crypto or golang.org/x/crypto in case the sought after implementation already exists to a usable degree. If not, pulling in securesystemslib would still be the more viable solution, no? |
So for the migration I propose following steps:
This way we would be able to support both the legacy code and the new code base and users would just have to depend on the respective minor release. Due to not being bound to API guarantees with a v0 major version this would be allowed according to semantic version conventions. Though we should announce this change as to not surprise anyone. |
Agree: let's do this |
Thanks for this @MDr164 💯 At today's go-tuf meeting we agreed to cut a release having the latest go-tuf state as of now (v0.7.0) next Monday and create a branch with it after that. After that we'll be free to proceed with step 3. We can even sync about it if you'd like to help with that 👍 |
Sounds good, I'll be at tomorrows TUF general sync as well. In addition I'm currently preparing to cut a release for my software that consumes go-tuf as well so this aligns well. Also got some WIP code for the unit tests I still need to put up so I know what deadline I gotta work with 👍 |
Awesome! It's not a hard deadline though so we can adapt if needed 👍 |
@rdimitrov would you like to pin this issue to the repo so people coming here can see the motivation and the way to go at the first glance? |
Thanks! Created a PR about it - #569 |
I was talking with @codysoyland yesterday about this. He proposed creating a new Maybe this has been proposed earlier and I missed that. |
@kommendorkapten is going to explore the "v2" tag option and create steps to perform this release |
Reference of updating the CI to run for the branched version - sigstore/cosign@43bde0e |
I'll keep this one opened until we:
|
The following issue is a placeholder for discussing the migration strategy of deprecating the current go-tuf code base in favor of https://github.com/rdimitrov/go-tuf-metadata.
Reason
The reasoning behind this is the discussions we've been having in the go-tuf community for the past 1+ years regarding the overall maintainability and usability of the current implementation. There are several less-than-optimal design decisions in go-tuf which often cause a lot of unnecessary implications both for the maintainers of the project but also for the actual users. Adding a feature or a simple bug fix (i.e. #272) sometimes ends up being surprisingly difficult to implement and review, and unfortunately, that makes it much harder to attract new contributions too.
Python-tuf was in the same situation and its community decided to do the same thing successfully redesigning its codebase approx. 2 years ago. The go-tuf community got inspired by this and evaluated that it would be worth to try and apply the same design principles used in python-tuf to create a new Go-based TUF implementation.
The result of this effort is the https://github.com/rdimitrov/go-tuf-metadata project.
Another example of this approach was developed in parallel - https://github.com/theupdateframework/tuf-js, which is a javascript-based implementation of TUF again based on the python-tuf design.
Goal
The end goal is to deprecate the current go-tuf codebase and replace it with the one from https://github.com/rdimitrov/go-tuf-metadata, so we continue to use the same repository location. The following are some of the things we need to complete in not order to accomplish that:
These are just some of the action items, but of course, more will be added in the process of this discussion.
The text was updated successfully, but these errors were encountered: