Fredrik Skogman

@mhdawson > packages that have native code often bundle in binaries for multiple different platforms. What would be the build workflow for those and how does it fit with existing...

My $.02 on this: What a trusted builder, audited and vetted by a trusted entity, provides is scalability around trust (this is not strictly related to SLSA, but I'll get...

> What specific SLSA 3 requirement would that fail to meet, and why would using [generator_generic_slsa3.yml](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml) make a difference? I think the first-stage and second-stage builder is a great analogy...

Reading the draft RFC for Roughtime: https://datatracker.ietf.org/doc/draft-ietf-ntp-roughtime/ and the blog post above, it seems like it's an alternative to NTP, not as a TSA? While Roughtime expects a 32byte nonce...

Is there any known usage of Roughtime? Or a good client? I found this https://github.com/cloudflare/roughtime and tested it out a bit. Sadly it did not work for any of the...

Yeah, let me add version that's safe for concurrent use!

I added a new wrapper, `ConcurrentLocalStore` which can be used to protect any `LocalStore` (e.g. the in memory one and the raw JSON one) for concurrent access. This would let...

Windows tests are failing, I will look into this tomorrow.

The failing tests are due to filesystem permission, which on Windows is very different from UNIX-like operating system. I found this post on the topic: https://medium.com/@MichalPristas/go-and-file-perms-on-windows-3c944d55dd44 The summary is that...

Any updates on how to proceed with this (file permission on Windows host)? My comments and proposal are in the comment above: https://github.com/theupdateframework/go-tuf/pull/347#issuecomment-1211615181 cc @trishankatdatadog @ethan-lowman-dd