Comments (2)
The client should now detect outdated metadata it may download by inspecting the new "version" field.
$ ../../client/basic_client.py --repo http://localhost:8001
[2013-03-31 22:01:36,917 UTC] [tuf.download] [INFO] Downloading: http://localhost:8001/metadata/timestamp.txt
Error: 'http://localhost:8001/metadata/timestamp.txt' is older than the version currently installed.
Downloaded version: 1
Current version: 2
from python-tuf.
What the metadata changes now verify:
(1) A valid timestamp (we only check its format). Was the metadata created at a future date? Some other invalid date? We need to better check the metadata's timestamp value.
https://github.com/theupdateframework/tuf/blob/master/tuf/formats.py#L118-L120
The previous date timestamp has been converted to a single integer value, representing the metadata version number. Checking for invalid dates, such as a 'ts' date value that is greater than the present date, is no longer an issue. The client will now only accept metadata with version numbers greater than the current. Comparing integers becomes a much simpler affair.
(2) That the downloaded metadata is newer than our current version.
https://github.com/theupdateframework/tuf/blob/master/tuf/client/updater.py#L711-L724
The previous implementation did not verify that the timestamp of the downloaded metadata was newer than the current version. As stated above, any version greater (i.e., by one, or more, version numbers) than the current one is valid. A bogus clock becomes a non-issue with version numbers; we now at least protect the previous 'ts' field.
(3) Delegated targets metadata have not expired (we only check for the top-level roles).
_refresh_targets_metadata() is called when updating delegated roles. The expiration date is verified on line:
https://github.com/theupdateframework/tuf/blob/master/tuf/client/updater.py#L1365
The repository tools and unit tests were also updated to allow independent version & expiration dates for all metadata on a repository.
from python-tuf.
Related Issues (20)
- build: Enable python 3.12 HOT 4
- investigate alternative hatchling version pinning HOT 2
- Consider including `securesystemslib[crypto]` as a dependency in TUF HOT 4
- VerificationResult should include keys for keyids HOT 4
- Replace most linting tools with ruff HOT 1
- repository: maybe provide a Repository.get_delegating_role() HOT 2
- Yearly maintainer permissions review HOT 1
- Change `securesystemslib.dsse.Envelope.signatures` to dict upstream HOT 2
- Test all components with DSSE
- Test "ruff check --output-format=github" HOT 2
- linting: Enable more ruff rulesets HOT 7
- linting: enable pycodestyle for tests
- datetime.utcnow() is deprecated: stop using it HOT 1
- SimpleEnvelope._DEFAULT_PAYLOAD_TYPE should be public? HOT 1
- should build job require prior test job to pass? HOT 3
- possible blog post: Caching TUF metadata HOT 3
- provide user-agent customization?
- workflows: macos runners are missing older pythons
- next release HOT 1
- user-agent should maybe mention "python"? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-tuf.