Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 #1894

Merged
merged 1 commit into from
May 19, 2022
Merged

GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 #1894

merged 1 commit into from
May 19, 2022

Conversation

janisz
Copy link
Contributor

@janisz janisz commented May 18, 2022
edited
Loading

@janisz janisz force-pushed the main branch 2 times, most recently from 1382f32 to 4dc866f Compare May 18, 2022 13:03
@janisz janisz changed the title Update go-tuf GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 May 18, 2022
@dlorenc
Copy link
Member

dlorenc commented May 18, 2022

Cc @asraa and @haydentherapper

@janisz
Copy link
Contributor Author

janisz commented May 18, 2022

I think this should be handled by @dependabot
I'm not sure why it missed this update.

@janisz
Update go-tuf
e35a779 
Signed-off-by: Tomasz Janiszewski <janiszt@gmail.com>
haydentherapper
haydentherapper reviewed May 18, 2022
View reviewed changes
pkg/cosign/tuf/client.go
@@ -425,7 +425,7 @@ func embeddedLocalStore() (client.LocalStore, error) {
func (t *TUF) updateMetadataAndDownloadTargets() error {
// Download updated targets and cache new metadata and targets in ${TUF_ROOT}.
targetFiles, err := t.client.Update()
if err != nil && !client.IsLatestSnapshot(err) {
if err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this removed?

Copy link
Contributor

@asraa asraa May 18, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's obsolete -- TUF used to error out if the update fetched a snapshot with the same version, and that was removed.

See change in https://github.com/theupdateframework/go-tuf/pull/143/files when go-tuf updated to follow the spec for client updates

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SG

Looks like some e2e tests failed

@dlorenc dlorenc merged commit fea9895 into sigstore:main May 19, 2022
@github-actions github-actions bot added this to the v1.9.0 milestone May 19, 2022
@westonsteimel westonsteimel mentioned this pull request May 26, 2022
Closed
This was referenced May 30, 2022
Closed
Merged
@znewman01 znewman01 mentioned this pull request May 31, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa approved these changes

@haydentherapper haydentherapper Awaiting requested review from haydentherapper

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.9.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@janisz @dlorenc @asraa @haydentherapper