specification
specification copied to clipboard
The Update Framework specification
This is my attempted takeover of #86. Based on discussion in that pr, I decided to explicitly recommend that fast forward attack recovery for delegated targets roles requires replacement of...
Rollback checks in the specification imply that previously downloaded locally cached copies of non-root metadata are loaded in order to compare against. However, the specification does not explicitly state that...
Clients should declare which version of the specification they implement and keep up-to-date with specification changes (see https://github.com/theupdateframework/python-tuf/issues/1598), but we as the specification do not make it easy to understand...
Following up on #111: on second thought and some [discussion](https://cloud-native.slack.com/archives/C8NMD3QJ3/p1601477330050100), I think that we should reinstate slow-retrieval attacks in the spec, but only if we make it optional (because not...
When the specification talks about consistent targets, it always refers to filenames. Here is _6.2.1. Writing consistent snapshots_: > consistent target files should be written to non-volatile storage as digest.filename.ext...
The specification refers to files and filesystem operations done on a local filesystem. Some implementations may use TUF on distributed systems or a different non-traditional file backend. To support these...
There are parts of the specification which implementers SHOULD adhere to in order to gain the security properties of TUF. There are parts of the specification which implementers need not...
The detailed client workflow refers to trusted metadata, or a specific role's trusted metadata, several times. However, it doesn't explain _what_ trusted metadata is, except implicitly during [5.3](https://theupdateframework.github.io/specification/v1.0.20/#update-root).7 where we...
This extends section 5.5.2 to include examples on how a client should download artifacts from a subdirectory. It uses the approach that python-tuf and go-tuf use, where downloading a target...
Spec v1.0.19 Section 5.6.7 describes how the client should traverse the delegation graph to update the targets role. The wording on cycle avoidance could use some clarification. The spec says:...