-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
specification has new version #1992
Comments
There's two changes that are relevant https://github.com/theupdateframework/specification/compare/v1.0.29..v1.0.30:
I'm not sure if we use or discard the new metadata in this case: the spec advice seems reasonable. The only problem I can imagine with it is that now two clients might have two different versions even if they are updated at the same time (one had an earlier published root of this version already, the other one did not have this version yet). Still seems to make sense, we should check the implementation.
We likely do this already as it's the logical thing to do but should check. |
Actually I'm also pretty sure we only accept specific root versions, anything else would be silly (since we download specific versions, surely the version in json must match or it's an error). We never try to download a version equal to current version so there's no non-error way to end up with root metadata with equal versions... So likely nothing needs to be done |
I confirm this. The initial root updating routine from python-tuf/tuf/ngclient/updater.py Lines 306 to 317 in 46979bb
... and in python-tuf/tuf/ngclient/_internal/trusted_metadata_set.py Lines 166 to 167 in 46979bb
|
This is not what ngclient does ( python-tuf/tuf/ngclient/_internal/trusted_metadata_set.py Lines 222 to 242 in 46979bb
We only fail if new timestamp version is less than trusted timestamp version (L224). Otherwise, e.g. if versions are equal, we continue the update cycle and the new timestamp (with equal version) becomes the trusted timestamp (L241) |
oh interesting!
|
Re-reading the detailed client workflow, I'm somehow missing clear instructions for the case where no new (valid) metadata exists on the repo, but trusted metadata is available on the client. In my understanding the client will proceed until the point where it downloads the target, but that does not seem to be spelled out anywhere. |
To me the main action items from this discussion here are:
|
Created two tickets for above items: |
#2023 was merged. Shall we bump ... python-tuf/tuf/api/metadata.py Line 78 in 46979bb
|
It seems there is no other immediate blocker. |
It seems specification (https://github.com/theupdateframework/specification/blob/master/tuf-spec.md) has new version.
Please review the version.
The text was updated successfully, but these errors were encountered: