Client::update_root should update from N+1, not fetch the latest root metadata

[erickt]

The TUF spec states that the root metadata should be updated by continuing to try to update to version N+1 metadata until we get a not-found error. However, rust-tuf doesn't follow this scheme. Instead, Client::update_root fetches the latest root metadata, then sequentially updates from the current root version through the latest version. Unfortunately, this exposes the client to parsing untrusted TUF metadata. It's theoretically possible a parser exploit that could compromise a rust-tuf Client (see #291).

We should change Client::update_root to follow the spec to avoid this issue.