Add predicate type to the allowed media types for the envelope's payload type#473
Add predicate type to the allowed media types for the envelope's payload type#473TomHennen merged 3 commits intoin-toto:mainfrom
Conversation
marcelamelara
left a comment
There was a problem hiding this comment.
Thanks for this PR @mdeicas ! Apologies for the long turnaround time on this one.
|
Since this is a spec change, can we please get a second @in-toto/attestation-maintainers review? I believe we'll also want to bump the minor version of the spec with this PR. |
| - `payloadType` MUST be set to `application/vnd.in-toto+json`, which | ||
| indicates that the Envelope contains a JSON object with a `_type` field | ||
| specifying its schema. | ||
| - `payloadType` MUST be set to `application/vnd.in-toto.predicate+json` or to |
There was a problem hiding this comment.
should this be <predicate file name> as above or <predicate> as in https://github.com/in-toto/attestation/blob/df7135a090fae2ed449bd95341652a9a2905b8e8/spec/v1/envelope.md#storage-convention?
There was a problem hiding this comment.
yeah, these should be consistent. I would stick with <predicate> everywhere with a link to the explanation as below.
|
@mdeicas Can you please rebase your branch onto the current main to fix the linter errors? |
…oad type. Predicate-specific media types are already recommended for individual attestations in storage systems -- see https://github.com/in-toto/attestation/blob/df7135a090fae2ed449bd95341652a9a2905b8e8/spec/v1/envelope.md#storage-convention. This PR makes the equivalent change for the envelope's `payloadType`. This change removes the inconsistency between the two uses of the media types and makes it easier to consume attestations (e.g. when manually opening up a bundle, in-toto#405). The risk is that a consumer uses solely the media type as evidence for a policy decision, but this is warned against in the documentation. A typo is also fixed in `bundle.md`. Signed-off-by: Marco Deicas <mdeicas@google.com>
Signed-off-by: Marco Deicas <mdeicas@google.com>
Signed-off-by: Marco Deicas <mdeicas@google.com>
|
Thanks for reviewing! The linter is now passing and I bumped the minor version to v1.2. Let me know if I didn't do that correctly. |
This PR adds the predicate type to the allowed values for the envelope's payload type. A typo is also fixed in
bundle.md.Predicate-specific media types are already recommended for individual attestations in storage systems -- see
https://github.com/in-toto/attestation/blob/df7135a090fae2ed449bd95341652a9a2905b8e8/spec/v1/envelope.md#storage-convention. This PR makes the equivalent change for the envelope's
payloadType.The motivation is to make it easier to consume attestations (e.g. when manually opening up a bundle, #405), and it also makes the two uses of the media types more consistent. There may be some risk that a consumer uses the media type as evidence for a policy decision, but this is warned against in the documentation.
The current
payloadType(application/vnd.in-toto+json) is left as an allowed value for backwards compatibility.This doesn't specify how to handle predicate-specific payload types for predicates that are not registered in this repo. These cases can continue to use
application/vnd.in-toto+json, and this can be followed up on if needed.