Bug: Standard currently requires all metadata to be downloaded on each update check

[tkfu]

As currently written, the standard says that all four metadata files from both repositories must be downloaded every time a vehicle checks for updates. This shouldn't be necessary:

• When we download the timestamp metadata, it contains a hash of the snapshot metadata file; if the current snapshot file we have on disk matches that hash, we don't need to re-download it.
• Similarly, the snapshot metadata lists the current version numbers of all targets metadata files; if snapshot metadata tells us that the version of the top-level targets metadata file we already have on disk is the latest one, there's no reason to re-download it.

Is there anything wrong with this reasoning? Do we actually need to re-download metadata that we already have? And if not, how should we go about publishing this erratum, given that the IEEE-ISTO organization no longer exists?

[tkfu]

Note that this is an important issue for automotive OEMs, especially U.S.-American ones; minimizing mobile data transfer is often a key concern when evaluating any connected car services. Top-level targets metadata, especially, can sometimes be quite large depending on repository management and delegation choices.

[trishankatdatadog]

Yeah, this should be clarified.

[iramcdonald]

Hi, I agree with Jon's rationale and Trishank's assent. This should be clarified. Now that the IEEE-ISTO Uptane Alliance project has concluded, all errata should be published through the Uptane website and the Linux Foundation/JDF. We should ask Justin about how to proceed, since our JDF project is still formation in-progress. Cheers, - Ira Ira McDonald (Musician / Software Architect) Co-Chair - TCG Trusted Mobility Solutions WG Co-Chair - TCG Metadata Access Protocol SG Chair - Linux Foundation Open Printing WG Secretary - IEEE-ISTO Printer Working Group Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG IETF Designated Expert - IPP & Printer MIB Blue Roof Music / High North Inc http://sites.google.com/site/blueroofmusic http://sites.google.com/site/highnorthinc mailto: blueroofmusic@gmail.com PO Box 221 Grand Marais, MI 49839 906-494-2434

…

On Tue, Oct 29, 2019 at 4:48 PM Trishank K Kuppusamy < ***@***.***> wrote: Yeah, this should be clarified. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#147?email_source=notifications&email_token=AE33UO7DZYYIDHKN3BFQRN3QRCOSBA5CNFSM4JGO2P72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECSA6LA#issuecomment-547622700>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AE33UO2KKOJM57QRIPOESBDQRCOSBANCNFSM4JGO2P7Q> .

[pattivacek]

A third point that we discussed but isn't mentioned here: there's no need to download anything from the Image repo if the Director indicates there are no new updates to install.

[JustinCappos]

It may not be the most important thing but downloading the image repo's timestamp and snapshot is still helpful from a security standpoint in this case. It helps to prevent / limit mix-and-match attacks later...

[tkfu]

That could be a MAY or a SHOULD though, right? Or left to deployment considerations?

[jhdalek55]

i think actually two things require actions here. The first is correcting the error and the second is how we post the errata.

@tkfu would you be able to write up the PR to address the former? And can @JustinCappos and/or @iramcdonald suggest how we handle the errata?

[pattivacek]

I've pushed a PR with a fix for this, with the optimizations given as MAYs to accommodate @JustinCappos's suggestion that downloading the Image repo's Timestamp and Snapshot may actually be useful. However, I realized the top-level targets metadata file is not currently possible. Please see the PR for details.