model-transparency icon indicating copy to clipboard operation
model-transparency copied to clipboard
verified publisher icon sigstore

v1 release

Open laurentsimon opened this issue 1 year ago • 6 comments

This is a proposal for v1 release. Scope: support sigstore for path only (no in-memory path support). This requires to implement only a subset of https://github.com/sigstore/model-transparency/issues/172:

# model.py
def sign(
      input: Path,
      sig: Path  = defaultSigPath(input),
      recompute_paths: []Path = None,
      ignored_paths: []Path = [".git"],
     ) -> None
    ...

def verify(
      input: Path,
      sig: Path  = defaultSigPath(input),
      verifier: Verifier = SigstoreVerifier(),
      ignored_paths: []Path = [".git"],
    ) -> bool

What needs to be done:

Simple

  • [ ] Make all API private except SigstoreSigner / SigstoreVerifier and model.verify / model.sign - see https://github.com/sigstore/model-transparency/issues/172 for APIs.
  • [x] https://github.com/sigstore/model-transparency/issues/174.
  • [x] https://github.com/sigstore/model-transparency/issues/157
  • [x] Add raw signer to API
  • [ ] https://github.com/sigstore/model-transparency/issues/179
  • [x] https://github.com/sigstore/model-transparency/issues/196

Medium

  • [ ] https://github.com/sigstore/model-transparency/issues/160.

More work

  • [ ] Decide the default parameters for sha256pv1 hash (shard size), or
  • [ ] https://github.com/sigstore/model-transparency/issues/13https://github.com/sigstore/model-transparency/issues/13. TBD: benchmarking
  • [ ] Define the manifest format |https://github.com/sigstore/sigstore-python/issues/982

We can add support for more features https://github.com/sigstore/model-transparency/issues/172 without breaking backward compatibility

laurentsimon avatar May 13 '24 23:05 laurentsimon

@mihaimaruseac what do you think of making these the prio for v1?

laurentsimon avatar May 14 '24 17:05 laurentsimon

I think anything that comes for the API are priority. So #172 , #111 (manifest), #140 (hash engine), #160 (incremental rehashing) are a must. As part of this, we will also need to clean-up BaseResult (#174).

Looking back, that's exactly the list you mentioned above.

mihaimaruseac avatar May 14 '24 17:05 mihaimaruseac

I think #157 might also be good to have in the release

mihaimaruseac avatar May 14 '24 17:05 mihaimaruseac

I think #157 might also be good to have in the release

Good call. Added to the list. Thanks!

laurentsimon avatar May 14 '24 17:05 laurentsimon

Added all of them to a milestone too. But also added improvement issues there, so it's good to keep track of the important ones on this issue

mihaimaruseac avatar May 14 '24 17:05 mihaimaruseac

This was discussed in the SIG meeting of 12 June 24. We would like to also support private PKI for this release. (We don't need to support all possible features, and we'll add new ones without breaking backward compatibility)

laurentsimon avatar Jun 12 '24 16:06 laurentsimon