post-migration steps

[jku]

This is a meta-issue for various cleanups after the #1320 is done:

• Merge dependency updates that have been blocked during migration
• Update README
• Update docs -- continues in documentation cleanup #1369
• Remove repository/ (the legacy metadata)
• Review and remove config/: related custom fields are still included in the metadata but this config is not used to produce it
• Review and remove code that is no longer used: cmd/, scripts/, release/, pkg/
• Review and remove tests/: my understanding is that tuf-on-ci plus the custom client tests in custom-test.yml are already better
• Revert or re-evaluate probers changes in drop preprod prober alerts to 7 days given upcoming signing event sigstore-probers#269 -- sync with [root v11] signing period length #1355
• Cleanup the production GCS bucket: we should just remove non-versioned root.json, targets.json and snapshot.json: they will be more and more out of date so much better to return straight 404s
• remove the "preprod" GCS bucket: tuf-on-ci uses github pages for same purpose, leaving stale data in the GCS bucket seems wrong. sigstore-probers seems to be he only existing user of the preprod bucket (PR already exists to change that)

[haydentherapper]

For the GCS steps:

• To clean up the production bucket, will grant the permission to edit objects in the bucket which would let you clear out these files
• For the preprod bucket, will need to clean up scaffolding terraform and remove all references in public-good-instance as well

[haydentherapper]

Should we remove the old versioned targets, timestamp and snapshots as well? I know we need to keep versioned roots, but I believe it's safe to remove the other old versioned metadata?

[jku]

Should we remove the old versioned targets, timestamp and snapshots as well? I know we need to keep versioned roots, but I believe it's safe to remove the other old versioned metadata?

We can remove them, but there's no pressure to do so -- especially with current expiries there will not be that many new versions (apart from timestamp that is not versioned in the filename). If we do, I guess it would be best to do it more than a week after a signing event so that no-one can legitimately be using the removed metadata anymore.

[haydentherapper]

We should also decide if we want to yank all releases at https://github.com/sigstore/root-signing/releases - I don't think they're in use anywhere, but I also don't know if yanking these releases will have unintended consequences.

[jku]

Docs are close but the long tail might take a while: I'll split that into #1369 and mark it done here

[jku]

I really thought I posted this comment already but apparently not?

Cleanup the production GCS bucket

This means we manually delete unprefixed root.json, snapshot.json, targets.json and registry.npmjs.org.json from "sigstore-tuf-root" GCS bucket. For clarity timestamp should not be removed.

@haydentherapper can you take this one or can you point me to how I get permission to do this?

[jku]

Thanks.

This means we manually delete unprefixed root.json, snapshot.json, targets.json and registry.npmjs.org.json from "sigstore-tuf-root" GCS bucket.

This is now done.

I also had another look in the load balancer logs: To my best knowledge all requests for these URLs are from old non-working cosign (which downloads these files for debugging purposes if it has already failed to process the actual versioned metadata).