fun signersMustHaveCaBitSet() {
    val attackerCa =
      HeldCertificate.Builder()
        .serialNumber(1L)
        .certificateAuthority(4)
        .commonName("attacker ca")
        .build()
    val attackerIntermediate =
      HeldCertificate.Builder()
        .serialNumber(2L)
        .certificateAuthority(3)
        .commonName("attacker")
        .signedBy(attackerCa)
        .build()
    val pinnedRoot =

### Hardware attacks

Physical GPUs or TPUs can also be the target of attacks. [Published
research](https://scholar.google.com/scholar?q=gpu+side+channel) shows that it
might be possible to use side channel attacks on the GPU to leak data from other
running models or processes in the same system. GPUs can also have
implementation bugs that might allow attackers to leave malicious code running

	if err != nil || numEntries < 0 || int(2*numEntries) < int(numEntries) {
		return nil, ErrHeader
	}

	// Parse for all member entries.
	// numEntries is trusted after this since a potential attacker must have
	// committed resources proportional to what this library used.
	if err := feedTokens(2 * numEntries); err != nil {
		return nil, err
	}
	spd := make(sparseDatas, 0, numEntries)

    # Return some error
    ...
```

But by using the `secrets.compare_digest()` it will be secure against a type of attacks called "timing attacks".

### Timing Attacks

But what's a "timing attack"?

Let's imagine some attackers are trying to guess the username and password.

And they send a request with a username `johndoe` and a password `love123`.

  optional PhotonPersistentDiskVolumeSource photonPersistentDisk = 17;

  // portworxVolume represents a portworx volume attached and mounted on kubelets host machine
  // +optional
  optional PortworxVolumeSource portworxVolume = 18;

  // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
  // +optional

message VolumeAttachmentSpec {
  // attacher indicates the name of the volume driver that MUST handle this
  // request. This is the name returned by GetPluginName().
  optional string attacher = 1;

  // source represents the volume that should be attached.
  optional VolumeAttachmentSource source = 2;

  // nodeName represents the node that the volume should be attached to.
  optional string nodeName = 3;
}

  fun headers(name: String): List<String> = commonHeaders(name)

  /** Returns the tag attached with [T] as a key, or null if no tag is attached with that key. */
  @JvmName("reifiedTag")
  inline fun <reified T : Any> tag(): T? = tag(T::class)

  /** Returns the tag attached with [type] as a key, or null if no tag is attached with that key. */
  fun <T : Any> tag(type: KClass<T>): T? = type.java.cast(tags[type])

  /**

message VolumeAttachmentSpec {
  // attacher indicates the name of the volume driver that MUST handle this
  // request. This is the name returned by GetPluginName().
  optional string attacher = 1;

  // source represents the volume that should be attached.
  optional VolumeAttachmentSource source = 2;

  // nodeName represents the node that the volume should be attached to.
  optional string nodeName = 3;
}

    Optional<Path> getPath(Project project);

    /**
     * Returns an immutable collection of attached artifacts for given project.
     */
    @Nonnull
    Collection<ProducedArtifact> getAttachedArtifacts(Project project);

    /**
     * Returns project's all artifacts as immutable collection. The list contains all artifacts, even the attached ones,

message VolumeAttachmentSpec {
  // attacher indicates the name of the volume driver that MUST handle this
  // request. This is the name returned by GetPluginName().
  optional string attacher = 1;

  // source represents the volume that should be attached.
  optional VolumeAttachmentSource source = 2;

  // nodeName represents the node that the volume should be attached to.
  optional string nodeName = 3;
}