WIP
raw notes from the breakout sessions at transparency.dev summit 2025 in Gothenburg:
(please put structured content *above* this)
philippo's log
- sigsum or sigstore - the latter needs o-auth but fine if someone wants to do it
we want >1 log (so one can be down, aka availability) and multiple witnesses (for availability and maybe also trust distribution)
witnesses need trusted hosting (keys should not be compromised) logs should have availability!
put this on a wiki page
- linus happy to help
binary transparency log:
- log of binary packages
maybe not needed because: key usage transparency:
- log of release files signing events, making key usage detectable