fix: abandon updates if timestamp.json isn't new #387
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
znewman01
force-pushed
the
abandonallupdatesyewhoenterhere
branch
from
f393a21
to
189f7d1
Compare
Adds a new test for this case: if a client sees a new `timestamp.json` file with the same version as its current `timestamp.json` file, it should do nothing (no update, but also no error). A few other tests were implicitly relying on the fact that the client did a full update each time, so they've been updated to commit a new timestamp. This updates go-tuf for TUF specification v1.0.30 (fixes theupdateframework#321). The only substantive change was [theupdateframework/specification#209][tuf-spec-209], which clarifies the intended behavior for updating metadata files. Updates for other roles were already in compliance: - Root metadata: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L258 - Timestamp, checking snapshot version: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L751 - Snapshot, must match version from timestamp: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L667 - Snapshot, no rollback of targets: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L685 - Targets: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L643 [tuf-spec-209]: (theupdateframework/specification#209). Signed-off-by: Zachary Newman <z@znewman.net>
znewman01
force-pushed
the
abandonallupdatesyewhoenterhere
branch
from
189f7d1
to
4d59f3b
Compare
mnm678
approved these changes
Sep 20, 2022
joshuagl
approved these changes
Sep 20, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a new test for this case: if a client sees a new
timestamp.jsonfile with the same version as its currenttimestamp.jsonfile, it should do nothing (no update, but also no error).A few other tests were implicitly relying on the fact that the client did a full update each time, so they've been updated to commit a new timestamp.
This updates go-tuf for TUF specification v1.0.30 (fixes #321). The only substantive change was
theupdateframework/specification#209, which clarifies the intended behavior for updating metadata files.
Updates for other roles were already in compliance:
go-tuf/client/client.go
Line 258 in 13eff30
go-tuf/client/client.go
Line 751 in 13eff30
go-tuf/client/client.go
Line 667 in 13eff30
go-tuf/client/client.go
Line 685 in 13eff30
go-tuf/client/client.go
Line 643 in 13eff30
Signed-off-by: Zachary Newman z@znewman.net
Please fill in the fields below to submit a pull request. The more information that is provided, the better.
Fixes #369
Release Notes: go-tuf clients now only complete an update if the timestamp.json file is new, rather than completing the same update over and over.
Types of changes:
Description of the changes being introduced by the pull request: See above
Please verify and check that the pull request fulfills the following requirements: