Update metadata version comparison rules in client workflow #209

rdimitrov · 2022-02-16T15:45:18Z

The client workflow has a set of version comparisons rules for how
to update metadata files. The following PR addresses the differences
coming from the fact that when updating not all metadata files should
be treated equally.

Fixes #207 and is related to #114

Notes:

root should be updated only when there's a newer version
timestamp should be updated only when there's a newer version AND the referenced snapshot version is not less than the one in the already trusted timestamp
snapshot should be updated only when its version is the same as the one referenced in the trusted timestamp AND the version of the referenced targets metadata (incl. delegated targets files) is equal or newer than the ones in the trusted snapshot.
targets should be updated only when its version is the same as the one referenced in the trusted snapshot
In regards to How should we handle metadata that has the same version but different content? #114, for timestamp, the decision is to take into account the new timestamp metadata file only if its version is not less than or equal to the trusted one, so this PR addresses one of the use cases mentioned in the issue.

The client workflow has a set of version comparison rules for how to update metadata files. The following PR addresses the differences coming from the fact that when updating not all metadata files should be treated equally. Fixes theupdateframework#207 and is related to theupdateframework#114 Signed-off-by: Radoslav Dimitrov <[email protected]>

Signed-off-by: Radoslav Dimitrov <[email protected]>

…date Signed-off-by: Radoslav Dimitrov <[email protected]>

joshuagl

This has long been a source of confusion in the spec. Thank you for the fix!

tuf-spec.md

joshuagl · 2022-04-28T20:24:59Z

@mnm678 if you're still comfortable with the change could you re-approve? Thank you.

Adds a new test for this case: if a client sees a new `timestamp.json` file with the same version as its current `timestamp.json` file, it should do nothing (no update, but also no error). A few other tests were implicitly relying on the fact that the client did a full update each time, so they've been updated to commit a new timestamp. This updates go-tuf for TUF specification v1.0.30 (fixes theupdateframework#321). The only substantive change was [theupdateframework/specification#209][tuf-spec-209], which clarifies the intended behavior for updating metadata files. Updates for other roles were already in compliance: - Root metadata: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L258 - Timestamp, checking snapshot version: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L751 - Snapshot, must match version from timestamp: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L667 - Snapshot, no rollback of targets: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L685 - Targets: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L643 [tuf-spec-209]: (theupdateframework/specification#209). Signed-off-by: Zachary Newman <[email protected]>

Adds a new test for this case: if a client sees a new `timestamp.json` file with the same version as its current `timestamp.json` file, it should do nothing (no update, but also no error). A few other tests were implicitly relying on the fact that the client did a full update each time, so they've been updated to commit a new timestamp. This updates go-tuf for TUF specification v1.0.30 (fixes #321). The only substantive change was [theupdateframework/specification#209][tuf-spec-209], which clarifies the intended behavior for updating metadata files. Updates for other roles were already in compliance: - Root metadata: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L258 - Timestamp, checking snapshot version: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L751 - Snapshot, must match version from timestamp: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L667 - Snapshot, no rollback of targets: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L685 - Targets: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L643 [tuf-spec-209]: (theupdateframework/specification#209). Signed-off-by: Zachary Newman <[email protected]> Signed-off-by: Zachary Newman <[email protected]>

rdimitrov force-pushed the dimitrovr/version-check-fix branch from 94c5930 to b534008 Compare February 16, 2022 15:46

rdimitrov added 2 commits February 17, 2022 12:40

Bump date and version to 1.0.29

17fd272

Signed-off-by: Radoslav Dimitrov <[email protected]>

Address what happens in case of equal metadata versions for client up…

d008607

…date Signed-off-by: Radoslav Dimitrov <[email protected]>

mnm678 previously approved these changes Apr 27, 2022

View reviewed changes

joshuagl previously approved these changes Apr 28, 2022

View reviewed changes

tuf-spec.md Outdated Show resolved Hide resolved

tuf-spec.md Outdated Show resolved Hide resolved

Update VERSION and Date

24638a6

joshuagl dismissed stale reviews from mnm678 and themself via 24638a6 April 28, 2022 20:23

Merge branch 'master' into dimitrovr/version-check-fix

81c1dd3

joshuagl requested a review from mnm678 April 28, 2022 20:24

joshuagl approved these changes Apr 28, 2022

View reviewed changes

mnm678 approved these changes Apr 28, 2022

View reviewed changes

mnm678 merged commit 7f356e4 into theupdateframework:master Apr 28, 2022

rdimitrov mentioned this pull request Apr 29, 2022

How should we handle metadata that has the same version but different content? #114

Open

rdimitrov deleted the dimitrovr/version-check-fix branch April 29, 2022 13:27

erickt mentioned this pull request May 19, 2022

Do we always need to download snapshot and targets? #227

Open

This was referenced Jun 8, 2022

Must signed.version be incremented every time a role is re-signed? theupdateframework/python-tuf#2020

Open

Clarify client workflow when no new metadata is available #235

Open

jku mentioned this pull request Aug 9, 2022

root version comparison still unclear #240

Open

znewman01 mentioned this pull request Sep 20, 2022

fix: abandon updates if timestamp.json isn't new theupdateframework/go-tuf#387

Merged

5 tasks

tedbow mentioned this pull request Mar 27, 2023

Update TUF spec to v1.0.30 php-tuf/php-tuf#326

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update metadata version comparison rules in client workflow #209

Update metadata version comparison rules in client workflow #209

rdimitrov commented Feb 16, 2022 •

edited

Loading

joshuagl left a comment

joshuagl commented Apr 28, 2022

Update metadata version comparison rules in client workflow #209

Update metadata version comparison rules in client workflow #209

Conversation

rdimitrov commented Feb 16, 2022 • edited Loading

joshuagl left a comment

Choose a reason for hiding this comment

joshuagl commented Apr 28, 2022

rdimitrov commented Feb 16, 2022 •

edited

Loading