Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Must signed.version be incremented every time a role is re-signed?
See original GitHub issueDescription of issue or feature request:
After reading the TUF specification and studying the basic_repo.py example, one thing remains unclear to me:
When exactly do we need to increment signed.version?
It is clear that we need to increment the signed.version after e.g. adding a new target, as detailed in the basic_repo.py example.
However, what if we only modify signed.expires, after a role has expired, without changing anything else? Do we also need to increment signed.version in that case? That would imply e.g. the version of timestamp is incremented every time it is re-signed.
In general, do we need to increment a role’s signed.version every time we re-sign that role, without exception?
Current behavior:
It is not explicitly clear from the documentation when signed.version needs to be incremented.
Expected behavior:
It would be very helpful if the documentation/specification could clarify this point explicitly.
Perhaps the basic_repo.py example could also show a snippet where an expired timestamp is re-signed (without any changes to the root, targets, or snapshot metadata).
Issue Analytics
- State:
- Created a year ago
- Comments:21 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
… and publishes it for someone to consume.
I would say.
Good point, stuff like this would make the docs much better. I believe any change to published signed metadata should lead to version bump: otherwise clients can’t know when they need to download new metadata (in the case that they already have the previous version downloaded).
The only modification to metadata that doesn’t need this that I could imagine is adding signatures… but even that seems safe only before the metadata is made public to clients (otherwise some clients could have fewer signatures and then signing keys might get changed and who knows how that would end).