8000 ngclient feature: Add option to only update metadata if needed · Issue #2225 · theupdateframework/python-tuf · GitHub
[go: up one dir, main page]
Skip to content
ngclient feature: Add option to only update metadata if needed #2225
New issue
New issue
Open
Open
ngclient feature: Add option to only update metadata if needed#2225
@jku

Description

@jku
jku
opened on Dec 14, 2022

This is not full thought out but I'm filing so it's not forgotten.

https://docs.google.com/document/d/1QWBvpwYxOy9njAmd8vpizNQpPti9rd5ugVhji0r3T4c

Sigstore client wants to use TUF to download files but wants to avoid the two mandatory requests (root N+1, timestamp) on startup if it's not necessary. This seems to be a totally valid feature request: if this is feasible we could offer that as an option.

The WIP sigstore client checks the timestamp expiry before creating an Updater: if timestamp is not expired, the client then decides update is not needed. There could be some issues with this:

  1. timestamp metadata validity is not checked
  2. cached target file validity is not checked
  3. root expiry is not checked

these may be partly theoretical worries but it still feels like a hack...

Maybe it is possible to

  • offer a (non-spec-compliant) Updater option that verifies
    • that metadata is valid
    • that targets are verified by the metadata
    • without hitting the network if possible
  • while still keeping updater implementation readable

?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0