The following program is released and supported:
./stmgr
New releases are announced on the System Transparency announce list. What changed in each release is documented in a NEWS file. The NEWS file also specifies which other System Transparency components are known to be interoperable, as well as which reference specifications are being implemented.
Note that a release is simply a signed git tag specified on our mailing
list, accessed from the stmgr repository. To verify tag signatures,
get the allowed-ST-release-signers file published at signing keys,
and verify the tag vX.Y.Z using the command
git -c gpg.format=ssh -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \
tag --verify vX.Y.Z
If desired, the config settings above can be stored more permanently using
git config.
The stmgr Go module is not considered stable before a v1.0.0 release. By the terms of the LICENSE file you are free to use this code "as is" in almost any way you like, but for now, we support its use only via the above program. We don't aim to provide any backwards-compatibility for internal interfaces.
We make feature releases when something new is ready. As a rule of thumb, feature releases will not happen more often than once per month.
In case critical bugs are discovered, we intend to provide bug-fix-only updates for the latest release in a timely manner. Backporting bug-fixes to older releases than the latest one will be considered on a case-by-case basis. Such consideration is most likely if the latest feature release is very recent and upgrading to it is particularly disruptive due to the changes that it brings.
We strive to make stmgr upgrades easy and well-documented. Any complications, e.g., chages to command line flags, will be clearly outlined in the NEWS file. Pay close attention to the "Incompatible changes" section before upgrading to a new version.