Add clarifying comments around TUF caching options #173
Conversation
|
@kommendorkapten, lemme know your thoughts on this. I agree with your comment that a good solution for offline verification is to pass a trust root file out of band, which Ramon and I discussed, but I think the behavior in this PR is a nice default so that users do not need to be aware of the timestamp config. |
pkg/tuf/client.go
Outdated
| // Config will not exist during the first initialization | ||
| // of unexpired metadata | ||
| cfg = &Config{ | ||
| LastTimestamp: time.Now(), |
There was a problem hiding this comment.
I haven't tried yet, but does this mean that the client will assume that my local cache is already fresh, without first checking ~/.sigstore/root/tuf-repo-cdn.sigstore.dev.json?
There was a problem hiding this comment.
If the cache is already fresh, meaning c.up.Refresh() succeeded, and no configuration file exists, then no additional refresh will occur. This addition persists the current time so that on the next metadata load, the config will be checked.
There was a problem hiding this comment.
By fresh, I meant that my local copy up-to-date before creating the client.
There was a problem hiding this comment.
c.up.Refresh when UnsafeLocalRefresh is set does not make any network calls, it simply loads the metadata from disk. It will err out if the timestamp is out of date, that we cannot and should not bypass.
Does that answer your question?
There was a problem hiding this comment.
Those options seem like the right thing I could use. Would you make those publicly accessible?
There was a problem hiding this comment.
I don't think we should expose UnsafeLocalRefresh, but instead make sure we have caching options that match expected use cases. Which I think we do have currently, besides what's in this PR.
The more I look at this, I think that ForceCache is what most users should be using, and that CacheValidity doesn't have a clear use case.
|
I don't see any real issues with this PR (but I would prefer to only write the timestamp file upon sigstore client initiated tuf refresh), but I do think that the cache is being misused if there is a concern about one egress TUF update on the first invocation. The cache is not about prohibiting network calls to be made, as the timestamp can expire at any time. It's only about avoiding excessive tuf updates if a program is called within a "tight loop". Consider the scenario where the tuf cache is populated by some process at time |
That's understandable. For the use-cases I'm imagining, I would be using a separate process to provide fresh caches. |
If I set cache validity, to me, I want to continue to use TUF metadata up until the cache is expired as per the validity timestamp. So either:
|
pkg/tuf/client.go
Outdated
| @@ -105,9 +105,14 @@ func (c *Client) loadMetadata() error { | |||
| } else if c.opts.CacheValidity > 0 { | |||
| cfg, err := LoadConfig(c.configPath()) | |||
There was a problem hiding this comment.
I tested this with a fresh local cache (in a previous invocation, I let the tuf client do and update, like normally). But in the next invocation, LoadConfig does not error, like I think your comment is suggesting. Printed, It actually has the value &{0001-01-01 00:00:00 +0000 UTC}.
I agree, and I argue it does except for the first time as we have no idea on how old the cache actually is. The concern I have here, is that if there is an existing TUF cache, we don't know how old it is. We read it, and if it's valid sets the Clarifying this in the documentation is what I would prefer. |
|
There is a lot going on in this thread! I agree it isn't exactly clear who should own what, and how to do things like offline verification. What we decided for the gh CLI is that if you specify a That pull request also sets the TUF cache to 1 day to reduce (but not eliminate) TUF client network calls. |
|
Thanks all for the comments. I think the behavior of the initial network call might be a little unexpected still, but I recognize there isn't really a perfect way to do this - either we just implicitly cache like in this PR or we fetch the latest state. Tomorrow, I'll update this PR to be comment updates that specify a) the purpose of CacheValidity, b) when to use it vs ForceCache, c) the preferred way to do offline verification by providing a trusted_root file. |
|
thanks @haydentherapper, especially around using an |
Clarifies these are not sufficient for airgapped environments. Also leaves in a test to demonstrate the behavior of CacheValidity. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
|
@kommendorkapten Updated the comments, and I left in the test I had added since I think it's useful to demonstrate that CacheValidity will still update a local cache without a timestamp. |
haydentherapper
changed the title
haydentherapper
changed the title
This changes the behavior of the TUF client to use the cached metadata if it's unexpired on first initialization. Previously, if no config which included the last update timestamp was found, it would force a reinitialization. Now, the first init with cached metadata will be offline.
Fixes #162
Summary
Release Note
Documentation