I’m on a phone so please forgive me if I missed it, but is the intended threat model for gittuf documented anywhere? I see a reference (in the linked paper) to a vulnerability that’s been submitted to CERT that gittuf is expected to remediate, but it wasn’t immediately clear to me whether using an authenticated transport (e.g. SSH) would solve that particular issue as well.
The paper is from quite a few years ago now and the reference is for a subset of gittuf's threat model, specifically the metadata manipulation / reference state attacks. The paper talks about MITM as one way to carry out a ref state attack, but if you're communicating with a compromised repository, you can be a victim of such an attack even if you're using authenticated transport and using signed commits / tags that you have a way of verifying.
We do have a threat model for gittuf that we've been meaning to add [0] to the design doc. I'll try and get that done today. It should probably be in there before we tag our alpha release. :)
I’m on a phone so please forgive me if I missed it, but is the intended threat model for gittuf documented anywhere? I see a reference (in the linked paper) to a vulnerability that’s been submitted to CERT that gittuf is expected to remediate, but it wasn’t immediately clear to me whether using an authenticated transport (e.g. SSH) would solve that particular issue as well.