Giter Club home page Giter Club logo

Comments (2)

vladimir-v-diaz avatar vladimir-v-diaz commented on May 24, 2024

The client should now detect outdated metadata it may download by inspecting the new "version" field.

$ ../../client/basic_client.py --repo http://localhost:8001
[2013-03-31 22:01:36,917 UTC] [tuf.download] [INFO] Downloading: http://localhost:8001/metadata/timestamp.txt
Error: 'http://localhost:8001/metadata/timestamp.txt' is older than the version currently installed.
Downloaded version: 1
Current version: 2

from python-tuf.

vladimir-v-diaz avatar vladimir-v-diaz commented on May 24, 2024

What the metadata changes now verify:

(1) A valid timestamp (we only check its format). Was the metadata created at a future date? Some other invalid date? We need to better check the metadata's timestamp value.

https://github.com/theupdateframework/tuf/blob/master/tuf/formats.py#L118-L120
The previous date timestamp has been converted to a single integer value, representing the metadata version number. Checking for invalid dates, such as a 'ts' date value that is greater than the present date, is no longer an issue. The client will now only accept metadata with version numbers greater than the current. Comparing integers becomes a much simpler affair.

(2) That the downloaded metadata is newer than our current version.

https://github.com/theupdateframework/tuf/blob/master/tuf/client/updater.py#L711-L724
The previous implementation did not verify that the timestamp of the downloaded metadata was newer than the current version. As stated above, any version greater (i.e., by one, or more, version numbers) than the current one is valid. A bogus clock becomes a non-issue with version numbers; we now at least protect the previous 'ts' field.

(3) Delegated targets metadata have not expired (we only check for the top-level roles).

_refresh_targets_metadata() is called when updating delegated roles. The expiration date is verified on line:
https://github.com/theupdateframework/tuf/blob/master/tuf/client/updater.py#L1365

The repository tools and unit tests were also updated to allow independent version & expiration dates for all metadata on a repository.

from python-tuf.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.