feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

rdimitrov · 2024-01-25T13:57:44Z

Description:

The following PR replaces the content of the existing master branch with the content of the https://github.com/rdimitrov/go-tuf-metadata.

It includes the following changes:

Created a commit which wiped out the existing content
Cherry-picked all commits from https://github.com/rdimitrov/go-tuf-metadata on top. The motivation is so we can preserve the history of both projects and also recognise the contributions made by all so far.
Switched rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2
Update the licensing to one that corresponds to the theupdateframework organisation (decided to make this in a follow up PR so we keep this one only about the migration)

What's next

Once we merge this, we'll leave some time (more than a month) before we deprecate the rdimitrov/go-tuf-metadata repository in favour of this one
Migrate all opened issues to this repository and revisit existing ones whether they still make sense or not
Migrate back things that are useful from the legacy go-tuf code - templates, code owner files, licence files, workflows?, etc.

Motivated by #485

Types of changes:

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected). Please ensure that your PR title is a Conventional Commit breaking change (with a !, as in feat!: change foo).

Description of the changes being introduced by the pull request:

Please verify and check that the pull request fulfills the following requirements:

Tests have been added for the bug fix or new feature
Docs have been added for the bug fix or new feature

Signed-off-by: Radoslav Dimitrov <[email protected]>

Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.4.4 to 1.5.0. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.4.4...v1.5.0) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](golang/crypto@v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

…framework#3) * docs: add comments describing the different types Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: add golangci and codeql Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: begin adding tests Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: add licence notice Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: update licence year to 2023 Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: fix linting error Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: temp limit ci to ubuntu so we don't waste GHA resources Signed-off-by: Radoslav Dimitrov <[email protected]> Signed-off-by: Radoslav Dimitrov <[email protected]>

…ateframework#76) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…amework#78) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.13.0 to 0.14.0. - [Commits](golang/sys@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…teframework#79) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Radoslav Dimitrov <[email protected]>

…eframework#81) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.15.0. - [Commits](golang/crypto@v0.14.0...v0.15.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Radoslav Dimitrov <[email protected]>

theupdateframework#82) Since TUF spec 1.0.32 the key type for ecdsa does not include the parameters, they are only part of the key-scheme. This commit updates the default keytype to not include the parameters, but includes a compatibility key type to be able to accept metadata compliant with older versions of the spec. Signed-off-by: Fredrik Skogman <[email protected]>

* Ignore temporary files from emacs (ends qith '~') Signed-off-by: Fredrik Skogman <[email protected]> * Remove dep of go-logr/logr. Provided is an (almost) logr compatible interface. Signed-off-by: Fredrik Skogman <[email protected]> * Remove V method from logger. Signed-off-by: Fredrik Skogman <[email protected]> * remove unnecessary variable Signed-off-by: Fredrik Skogman <[email protected]> * Removed unnecessary code change Signed-off-by: Fredrik Skogman <[email protected]> * ran go mod tidy Signed-off-by: Fredrik Skogman <[email protected]> --------- Signed-off-by: Fredrik Skogman <[email protected]>

…amework#85) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.14.0 to 0.15.0. - [Commits](golang/sys@v0.14.0...v0.15.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…eframework#87) * Added an unsafe method for loading the tuf metadata on disk Signed-off-by: Fredrik Skogman <[email protected]> * Feedback from review. Added a config parameter instead of a separate method. Signed-off-by: Fredrik Skogman <[email protected]> * Added unit tests for unsafe local mode Signed-off-by: Fredrik Skogman <[email protected]> * DEBUG: remove added tests Signed-off-by: Fredrik Skogman <[email protected]> * comment out correct test Signed-off-by: Fredrik Skogman <[email protected]> * Uncommented tests cases and disabled go caching Signed-off-by: Fredrik Skogman <[email protected]> --------- Signed-off-by: Fredrik Skogman <[email protected]>

…eframework#84) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.15.0 to 0.16.0. - [Commits](golang/crypto@v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…heupdateframework#90) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.7.5 to 1.7.6. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.7.5...v1.7.6) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…eframework#92) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.16.0 to 0.17.0. - [Commits](golang/crypto@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…heupdateframework#93) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.7.6 to 1.8.0. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.7.6...v1.8.0) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…amework#95) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.16.0. - [Commits](golang/sys@v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…eframework#96) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.17.0 to 0.18.0. - [Commits](golang/crypto@v0.17.0...v0.18.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…o-tuf/v2 Signed-off-by: Radoslav Dimitrov <[email protected]>

rdimitrov · 2024-01-25T14:17:41Z

This is what I used to copy the content and its history -

#!/bin/bash

# Retrieve all commit hashes from the first commit onwards, in chronological order
commit_hashes=$(git log source/main --reverse --format="%H")

# Cherry-pick each commit from the source repository
for commit in $commit_hashes; do
    git cherry-pick $commit
    if [ $? -ne 0 ]; then
        echo "Cherry-picking commit $commit failed."
    fi
done
echo "All commits have been successfully cherry-picked"

There were 3 merge commits (empty) that failed being cherry-picked but since they are empty ones they are not relevant
source/main is rdimitrov/go-tuf-metadata@main

kommendorkapten · 2024-01-29T08:59:41Z

So excited to see this! 🚀

kommendorkapten

Well good!

rdimitrov and others added 30 commits January 24, 2024 14:51

Remove legacy go-tuf code

b76646f

Signed-off-by: Radoslav Dimitrov <[email protected]>

Initial commit

2f22f0a

Signed-off-by: Radoslav Dimitrov <[email protected]>

update basic_repo.go example

e3fb769

Signed-off-by: Radoslav Dimitrov <[email protected]>

Update README.md

f29347f

update example to use the placeholder repo instance

7a97b4f

Signed-off-by: Radoslav Dimitrov <[email protected]>

implement verifiers for length and hash

3485d06

Signed-off-by: Radoslav Dimitrov <[email protected]>

set consistent snapshots to true when init

de9cb26

Signed-off-by: Radoslav Dimitrov <[email protected]>

add version check for metafiles

610ee9f

Signed-off-by: Radoslav Dimitrov <[email protected]>

remove delegations object when creating targets metadata

193985a

Signed-off-by: Radoslav Dimitrov <[email protected]>

use variable for custom values

f4f285b

Signed-off-by: Radoslav Dimitrov <[email protected]>

fix rsa and ecdsa key type support

ad6cffe

Signed-off-by: Radoslav Dimitrov <[email protected]>

implement GetRolesForTarget

1cff8e2

Signed-off-by: Radoslav Dimitrov <[email protected]>

implement trusted metadata set

4dcbb08

Signed-off-by: Radoslav Dimitrov <[email protected]>

tidy up code and rename repo to repository

43f8868

Signed-off-by: Radoslav Dimitrov <[email protected]>

rename to go-tuf-metadata

a298a28

Signed-off-by: Radoslav Dimitrov <[email protected]>

update README.md and testdata

c3b1ad4

Signed-off-by: Radoslav Dimitrov <[email protected]>

proceed implementing the Updater - implement loadTargets

db83b72

Signed-off-by: Radoslav Dimitrov <[email protected]>

complete the Updater implementation

4cc0bd6

Signed-off-by: Radoslav Dimitrov <[email protected]>

ed25519 public key should be hex only

85d1591

Signed-off-by: Radoslav Dimitrov <[email protected]>

restructure example folder

ca55d5a

Signed-off-by: Radoslav Dimitrov <[email protected]>

introduce logrus and restructure file layout

ceb1ffa

Signed-off-by: Radoslav Dimitrov <[email protected]>

add bsd-2 licensing

cf43183

Signed-off-by: Radoslav Dimitrov <[email protected]>

Update license name so it matches the GitHub license keyword

ee8aeb4

Signed-off-by: Radoslav Dimitrov <[email protected]>

add code of conduct, contributing and gitignore files

5aba429

Signed-off-by: Radoslav Dimitrov <[email protected]>

update readme

aee21ad

Signed-off-by: Radoslav Dimitrov <[email protected]>

fix formatting for code of conduct

e762870

Signed-off-by: Radoslav Dimitrov <[email protected]>

Create dependabot.yml

ff78023

dependabot bot and others added 21 commits January 25, 2024 12:36

Add Trivy scan to workflow

9b8deba

Signed-off-by: Radoslav Dimitrov <[email protected]>

Update README

931f74a

Signed-off-by: Radoslav Dimitrov <[email protected]>

Use pinned actions

a142637

Signed-off-by: Radoslav Dimitrov <[email protected]>

Enroll go-tuf-metadata to Minder and store profile

1bdd94e

Signed-off-by: Radoslav Dimitrov <[email protected]>

Update the multirepo example metadata

dd861e9

Signed-off-by: Radoslav Dimitrov <[email protected]>

chore: split actions to tests and linting (theupdateframework#89)

0c0a360

Move from rdimitov/go-tuf-metadata to github.com/theupdateframework/g…

082c914

…o-tuf/v2 Signed-off-by: Radoslav Dimitrov <[email protected]>

haydentherapper mentioned this pull request Jan 26, 2024

Update TUF client to support options and add LiveTrustedRoot sigstore/sigstore-go#41

Merged

3 tasks

rdimitrov self-assigned this Jan 29, 2024

kommendorkapten approved these changes Jan 29, 2024

View reviewed changes

rdimitrov added enhancement code health breaking labels Jan 29, 2024

rdimitrov merged commit 4e440e2 into theupdateframework:master Jan 29, 2024
14 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

rdimitrov commented Jan 25, 2024 •

edited

Loading

rdimitrov commented Jan 25, 2024

kommendorkapten commented Jan 29, 2024

kommendorkapten left a comment

feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 #583

Conversation

rdimitrov commented Jan 25, 2024 • edited Loading

rdimitrov commented Jan 25, 2024

kommendorkapten commented Jan 29, 2024

kommendorkapten left a comment

Choose a reason for hiding this comment

rdimitrov commented Jan 25, 2024 •

edited

Loading