-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ngclient: review snapshot hashes/length check #1523
Milestone
Comments
joshuagl
added
the
backlog
Issues to address with priority for current development goals
label
Aug 18, 2021
This was referenced Aug 18, 2021
I would like to take this issue and will assign myself. |
I will wait with the implementation of a pr resolving this issue until there is a prototype for #1444 which will make creating a test |
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Update process if timestamp meta contains hashes for snapshot:
The same issues do not exist for targets as they have no rollback checks.
Similar issues for version numbers and expiry are being fixed by delaying the checks until we know we have the "final" snapshot. We don't want to do the exact same thing here as the hashes are meant to prevent even parsing data we don't trust... This seems to be a case where "trusted local metadata" and "untrusted data from network" is the deciding factor. TrustedMetadataSet does not have this information currently so possibly we need to add an argument to update_snapshot():
where trusted data would not be hash/length checked, but untrusted data would. Looks a bit ugly since none of the other update functions need this but it would seem to work in all cases:
The text was updated successfully, but these errors were encountered: