HackMD - Collaborative Markdown Knowledge Base

### Questions about Signy MVP - it appears that some extra empty entries are added to the links map (which is most likely as a result of me changing up the directory structure of the metadata a bit), which I don't think should happen, and we should probably check when constructing the links object. ```json "localhost:5000/intoto-test-check-links:v1": { "custom": { "intoto": { "data": null, "links": [ "", "", "", "localhost:5000/intoto-test-check-links/in-toto-metadata/testdata/intoto/minimal/root.layout", "localhost:5000/intoto-test-check-links/in-toto-metadata/links/developer.2d2e5437.link", "localhost:5000/intoto-test-check-links/in-toto-metadata/links/machine.dd035ca2.link" ], "pubkeys": null } }, ``` - although I don't have strong opinions here, I'm not sure re-using a single top-level `Metadata` object to represent both link and bundle targets works, as they have different populated fields. Besides this, the "bundle" target contains both links and the root layout in the "Links" field, which is unexpected. Is there any downside in having separate custom metadata structs? - delegating the targets role to sign`in-toto/links` when the `--in-toto` hasn't been passed - is there any potential issue with doing so when we know that the current bundle version doesn't have any in-toto metadata? Is this for potential future updates that would include it? (also, same as with constructing the links object, there are a few empty entries to `paths`, and I don't seem to figure out where they are coming from): ```json "roles": [ { "name": "targets/releases", "paths": [ "", "", "localhost:5000/intoto-test-check-links:", "localhost:5000/intoto-test-check-links/in-toto-links/" ], } ] ``` - I think we might need to refactor the `tuf` package (specifically, its need to import the `in-toto` package). It might be worth to bring back the `trust` package (there used to be a `trust` package that contained a version of the current `SignAndPublish` function, which now needs to import `in-toto` - and because of that, we can't import `tuf` functionality in the `intoto` verification process). Gritty internal details, but I thought it was worth bringing up to justify some changes to the package structure.