Skip to content

Commit

Permalink
(WIP) Mention possibility of entirely different root layouts
Browse files Browse the repository at this point in the history
This is for situations where different packages are results of
different projects / supply chains.

Signed-off-by: Aditya Sirish <[email protected]>
  • Loading branch information
adityasaky committed Apr 17, 2020
1 parent 464a2a5 commit 753a8ff
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions ITE/2/README.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -176,9 +176,13 @@ from that for another package. This MAY be done in a number of different
ways, but perhaps the simplest is to use directories with unique names to
isolate different in-toto link metadata for different packages, where the
name MAY be the SHA-256 hash of the "`developer`" step link metadata file
for a particular package. The root layout MAY be identical for each
of these packages, but it can differ to allow for changes in the supply
chain such as changes in functionaries' keys.
for a particular package. The root layouts MAY be identical for each
of these packages where they are all the results of the same supply chain.
The root layouts MAY differ to allow for changes in the supply chain (such
as revoking functionaries' keys), or even to account for packages that are
from entirely different supply chains (therefore, with entirely different
root layouts). By using consistent snapshots and defining custom targets
metadata, backward compatibility can be maintained.
. The targets metadata MUST also list the targets metadata of all
in-toto link metadata files associated with all available packages. Note
that as the number of packages grows, so will the size of this metadata
Expand Down

0 comments on commit 753a8ff

Please sign in to comment.