specification
specification copied to clipboard
theupdateframework
The Update Framework specification
For multi-role delegations can ``min_roles_in_agreement`` include multiple instances of the same role? For example, if Targets delegates to Alice and Bob, who both delegate to Charlie, can Charlie's approval count...
> All documents use a subset of the JSON object format, with floating-point numbers omitted. When calculating the digest of an object, we use the "canonical JSON" subdialect as described...
In section 5.1.9, it states: > 1.9. If the timestamp and / or snapshot keys have been rotated, then delete the trusted timestamp and snapshot metadata files. This is done...
@jawi reports: > From my experience implementing TUF in a different language (Java), it always caused me several headaches when trying to get the signing right. Mostly this is due...
The TUF specification outlines the Root role and key revocations [here](https://github.com/theupdateframework/tuf/blob/d2cc96766f5c094281f24fc425bbb044cf76602c/docs/tuf-spec.txt#L491-L495). We should add a separate section that more thoroughly covers key revocation of top-level roles, and how clients are...
I'm trying to wrap my head around the whole delegated roles part of the spec. I see the possible use cases for delegating the authority of parts of a repository...
I'm trying to get my head around the update workflow from a clients' perspective. Especially the initial phase, e.g., what to do if a client starts up for the 1st...
For almost all files listed in the snapshot, if no locally cached snapshot is available this just means that they should be considered changed and should be downloaded. However, the...
In theupdateframework/specification#76 I mention that we delete the cached snapshot and timestamp on a verification error to avoid attacks where the attackers sets the file version to MAX_INT. However, we...
(I'm logging issues such as these mostly to help make the spec more precise. I hope it's useful.) The update process described in Section 5.1 looks something like: 1. Download...