Comments (9)
kommendorkapten
commented on August 10, 2024
1
Actually I think I can solve most of this in the sigstore tuf client, let me think of that for a while.
But I would still need the deviation from the tuf spec (load metadata on disk only), I'll prepare a PR and we can discuss it more.
from go-tuf-metadata.
rdimitrov
commented on August 10, 2024
cc: @kommendorkapten
from go-tuf-metadata.
joshuagl
commented on August 10, 2024
FWIW in python-tuf there was an explicit decision to only allow one refresh() call during an Updater's lifetime: https://github.com/theupdateframework/python-tuf/blob/f711997a08cbb558fc8ab91406a846bbe4883d1a/tuf/ngclient/updater.py#L115
Mostly sharing this so that you can dig into the rationale for the choice on the Python side and make an explicit choice to diverge from their implementation approach. I know this codebase started out implementing the same architecture.
from go-tuf-metadata.
kommendorkapten
commented on August 10, 2024
👋 @joshuagl I'm working now on integrating this into the Sigstore TUF client, and if you remember, there are some requirements on caching, and especially to allow a client to use the locally cached metadata without performing a TUF update. We know this is a deviation from the TUF spec, but it was still a desired feature to have.
As part of adding that functionality, it would be required to first load the metadata on disk, then if expired, perform an update. This currently fails due to this.
Another example is long-lived processes, such as services that may have a lifetime far beyond the timestamp's expiration time. Such components could of course periodically recycle the client used, but that feels a bit unnecessary. Would be interesting to hear your thoughts here.
from go-tuf-metadata.
kommendorkapten
commented on August 10, 2024
See #87
from go-tuf-metadata.
joshuagl
commented on August 10, 2024
See theupdateframework/python-tuf#2472 for some exploration of offline mode for python-tuf
from go-tuf-metadata.
jku
commented on August 10, 2024
See theupdateframework/python-tuf#2472 for some exploration of offline mode for python-tuf
Yes the last comment hopefully explains why we finally decided not to merge anything yet in python-tuf: At the moment sigstore-python can achieve the same security benefits (roughly none) by just using cached artifacts without verifying them.
If we had theupdateframework/python-tuf#1168 then offline verification would be a little more useful.
from go-tuf-metadata.
kommendorkapten
commented on August 10, 2024
Ah, the bootstrapped root functionality is expected to be part of python-tuf itself? My thinking is a bit different, go-tuf requires a root.json (LocalTrustedRoot) and so it would be the the actual program's responsibility to make sure that it can be trusted (and the technique used to protect it can differ between programs).
from go-tuf-metadata.
rdimitrov
commented on August 10, 2024
Closing in favour of theupdateframework/go-tuf#593
from go-tuf-metadata.
Related Issues (20)
- tests: Add unit tests for Updater HOT 3
- tests: Add unit tests for TrustedMetadataSet HOT 2
- tests: Add unit tests for Metadata HOT 2
- feat: Add support for succinct roles (TAP15)
- feat: Add support for hash bin delegations
- feat: Support loading and managing keys from files HOT 1
- bug: use the correct format for "expires" (should not include milliseconds) HOT 3
- feat: Add support for listing available target files HOT 2
- feat: Expose client state - expirations/versions of top-level metadata
- feat: Resign metadata so we just bump the expiration/version
- feat: Support for downloading target files from a registry (by tag/digest)
- feat: Use rate limiter when downloading a metadata file HOT 4
- bug: support consistent snapshots for when we download a target file
- examples: update URL of the trusted sigstore-tuf-root GCS to the new CDN
- feat: Make logging in library code optional HOT 4
- feat: Decouple signing HOT 4
- bug: update examples/tests to use the new jku/tuf-demo TUF repository HOT 1
- Disable codecov/patch
- Make go-tuf-metadata concurrency-safe
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-tuf-metadata.