repository: Tweak snapshot/timestamp triggers #2438
Comments
jku
added a commit
to jku/tuf-on-ci
that referenced
this issue
Aug 10, 2023
We don't actually get a snapshot/timestamp when online keys rotate (because the code sees target content has not changed). This is likely a python-tuf bug but let's workaround for now: theupdateframework/python-tuf#2438
jku
added a commit
to jku/tuf-on-ci
that referenced
this issue
Aug 11, 2023
We don't actually get a snapshot/timestamp when online keys rotate (because the code sees target content has not changed). This is likely a python-tuf bug but let's workaround for now: theupdateframework/python-tuf#2438
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently
Repository.do_snapshot()andRepository.do_timestamp()decide whether the update is needed by looking at whether the contents are up-to-date.This bypasses one case where timestamp and snapshot are needed: when the signing keys have changed. So I guess the two methods should also check if the current metadata is verified by root.
I did not do that originally since I was hoping the methods could be self contained and would not make assumptions about how the repository is generated/stored. This seems to be a good reason to peek at other metadata though: root should be assumed to exist and to be valid if you are calling do_snapshot/do_timestamp
The text was updated successfully, but these errors were encountered: