specification
specification copied to clipboard
theupdateframework
The Update Framework specification
The spec is a little vague as to how we should handle updating metadata that shares the same version number as the trusted metadata, but has different content. We can...
Step three of [6.3.1](https://theupdateframework.github.io/specification/latest/#update-targets-metadata) states: > Sign the updated targets metadata with at least a [THRESHOLD](https://theupdateframework.github.io/specification/latest/#threshold) of keys for the associated targets role (either the top-level targets role, or a...
Hashed bin delegation is not well documented in the specification. One of the better/more frequently referenced descriptions is in PEP 458. We might add this to the ~new repository operations...
For delegations, some examples seem to use a directory structure where `foo/` means `foo/bar/`, `foo/baz`, and recursively everything under them. Other examples use what appears to be Unix style globbing...
## Preamble I'm filing this issue as suggested by @trishankkarthik inside of [this conversation](https://github.com/awslabs/tough/pull/426). The comments relevant to this issue are [this one](https://github.com/awslabs/tough/pull/426#pullrequestreview-850885096) and [this one](https://github.com/awslabs/tough/pull/426#issuecomment-1011596413). ## The issue The...
I suggest to add a simple key compromise analysis section for the top-level roles akin to the corresponding sections in [PEP 458](https://www.python.org/dev/peps/pep-0458/#key-compromise-analysis) and [PEP 480](https://www.python.org/dev/peps/pep-0480/#key-compromise-analysis). That is a matrix that...
There was an attempt to clarify `paths` vs `path_hash_prefixes` use in delegations (4.5) a few months ago but it looks like the result is still not quite finished: > The...
In https://theupdateframework.github.io/specification/v1.0.26/#fetch-target, when downloading targets with consistent snapshots enabled, it states: > ... Otherwise, the filename is of the form HASH.FILENAME.EXT (e.g., c14aeb4ac9f4a8fc0d83d12482b9197452f6adf3eb710e3b1e2b79e8d14cb681.foobar.tar.gz), where HASH is one of the hashes...
[5.7 Fetch target](https://theupdateframework.github.io/specification/v1.0.26/#fetch-target) could do with some clarification improvements: * 5.7.1. states what we are doing in all of 5.7 * 5.7.3. includes multiple actions in one step of the...
This may be in secondary literature #91 or it may belong as part of the specification, but either way, we should capture more guidance for repository operators (and repository tooling...