rust-tuf icon indicating copy to clipboard operation
rust-tuf copied to clipboard

Published 20 hours ago verified publisher icon theupdateframework

Split `Repository` trait into local and remote components

Open heartsucker opened this issue 8 years ago • 3 comments
trafficstars

Because we trust data once its in the local repo, and we don't need to reverify it on every fetch.

heartsucker avatar Jul 26 '17 15:07 heartsucker

For repositories like FileSystemRepository, I assume we don't need to check for trickle attacks, but do you think we ought to verify the hash on every read?

erickt avatar Aug 03 '18 20:08 erickt

Circling back, yes we should verify the hash on every read in FileSystemRepository. On fuchsia, we store our trusted root in a read only location, so we can cryptographically verify that all the metadata and target files are based off of our initial trusted root. Since we want to protect against an attacker being able to manipulate our mutable storage, we need to check the file is as expected when we open it up.

EphemeralRepository however does not need to verify the hash, since if an attacker can modify our TUF process's memory, then they can probably skip verification altogether.

erickt avatar Nov 21 '19 04:11 erickt

If we want to always verify from a local repo, we can close this. Since the ephemeral repo is only used for testing, it's ok if it's not particularly efficient (not that hashing is slow, but it's an unnecessary optimization)

heartsucker avatar Nov 21 '19 08:11 heartsucker