Inspecting trusted targets

18 views
Skip to first unread message

B. van Lunteren

unread,
Mar 29, 2022, 10:46:22 AM3/29/22
to The Update Framework (TUF)
Hi everyone,

A question about the `ngclient.updater.Updater` interface in the reference implementation:

There is a public `Updater.get_targetinfo()` method which allows us to get a `TargetFile` for a specific `target_path`.

This is useful if we already know which target we need, but what if our application does not know the target path beforehand?

Is there some way to list available targets, or iterate over them? 

For example, my application might need to look for newly added "patch" files, or it may need to determine the target path based on the content of a [CUSTOM][1] object (`TargetFile.custom`).

We could use `Updater._trusted_set.targets.signed.targets`, but `_trusted_set ` does not look like part of the public api.

What would be the proper way to do this?

Or perhaps I am approaching this the wrong way?

Thanks for your help.

Trishank Kuppusamy

unread,
Mar 29, 2022, 10:49:37 AM3/29/22
to B. van Lunteren, Jussi Kukkonen, The Update Framework (TUF)
This is for @Jussi Kukkonen and friends :)

--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/f381ce95-1c4c-4206-b71a-b376d25f3a30n%40googlegroups.com.

Jussi Kukkonen

unread,
Apr 1, 2022, 8:24:44 AM4/1/22
to B. van Lunteren, The Update Framework (TUF)
Hi,

TUF (as in the TUF specification) doesn't really provide any means for searching for things -- this is probably good as it would likely be difficult to make the right design decisions for all use cases.

Currently it's also true that ngclient does not expose the targets metadata to caller: I think I wouldn't oppose exposing it if there is a clear need for that. However...

There is an additional hurdle: once you start using delegated targets, a search implemented over generic TUF metadata basically stops working. The delegating metadata does not know what targets the delegated metadata provides so a client would potentially need to download all​ metadata to conclusively respond to a query.

For this reason (and because the search requirements are application specific), I think it makes sense to implement search "above" TUF: This could mean creating application specific index files that are added into the repository as TUF target files. Then your client knows to download a specific index, uses the index file to search for the actual targetname, then downloads the target.

That said, I can see how some search use cases could be implemented by just looking at targets metadata (possibly with some custom fields in it). Accomodating for that in ngclient sounds totally fine: please file a feature request on github if you think you've got a case where that makes sense.

Hope that helps,
Jussi


From: theupdate...@googlegroups.com <theupdate...@googlegroups.com> on behalf of B. van Lunteren <berv...@gmail.com>
Sent: Tuesday, 29 March 2022 17.46
To: The Update Framework (TUF) <theupdate...@googlegroups.com>
Subject: [Suspected Spam] [tuf] Inspecting trusted targets
 

⚠ External Email

--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/f381ce95-1c4c-4206-b71a-b376d25f3a30n%40googlegroups.com.


⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.

Reply all
Reply to author
Forward
0 new messages