Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update does not fail when snapshot is not valid #385

Open
renatav opened this issue Jan 25, 2024 · 0 comments · Fixed by #389
Open

Update does not fail when snapshot is not valid #385

renatav opened this issue Jan 25, 2024 · 0 comments · Fixed by #389
Labels
security updater

Comments

@renatav
Copy link
Collaborator

renatav commented Jan 25, 2024
edited
Loading

When timestamp is invalid, update fails. If snapshot is updated in the same invalid way, it does not.

The problem here is that TUF's updater only downloads new metadata files if it is determined based on other metadata files that they should be updated. However, metadata files which are not downloaded by the TUF updater might have been changed in a particular commit and might be invalid. So, if we change snapshot without updating timestamp, TUF updater will not download it. But that snapshot metadata file could be invalid. We cannot simply check if the metadata files are the same since we have cases where we unnecessarily increased a version and signed, even though nothing was updated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security updater
Projects
TAF Planning
Status: Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check if metadata files at revision match those downloaded by TUF updater openlawlibrary/taf
1 participant
@renatav