Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Remove iso8601 dependency

See original GitHub issue

I’ve been going through the tuf dependency chain with an eye on integrating tuf with pip: The issue with pip is that it’s a package manager so needs to vendor everything it needs – so being conservative with dependencies is a good idea. The good news is that tuf does not have many direct or indirect dependencies that would be a problem (good work!).

The one that possibly sticks out is “iso8601”. The module is currently used in two places:

repository_tool: Metadata.expiration property getter uses it to return a datetime object
updater.py: Updater::_ensure_not_expired()

I’m mostly interested in that last one. it’s used to compare the expiration stamp to current time and to format the error message:

    expires_datetime = iso8601.parse_date(expires)
    expires_timestamp = tuf.formats.datetime_to_unix_timestamp(expires_datetime)

    if expires_timestamp < current_time:
      message = 'Metadata '+repr(metadata_rolename)+' expired on ' + \
        expires_datetime.ctime() + ' (UTC).'
      logger.error(message)

      raise tuf.exceptions.ExpiredMetadataError(message)

I’m not familiar with date handling in python so my question is: Is this dependency valid or could this code be replaced with something that did not depend on iso8601?

Issue Analytics

State:
Created 3 years ago
Comments:12 (12 by maintainers)

Top GitHub Comments

3reactions

jkucommented, Oct 13, 2020

I’ve just reviewed the iso8601 test suite and have come to the conclusion that using the iso8601 module is in fact not compliant with the (spirit of the) tuf spec: current implementation allows for timestamps that I would not expect to work after reading the spec, such as “2006-10-20T15:34:56.123+02:30”.

The spec currently says:

Metadata date-time data follows the ISO 8601 standard. The expected format of the combined date and time string is “YYYY-MM-DDTHH:MM:SSZ”. Time is always in UTC, and the “Z” time zone designator is attached to indicate a zero UTC offset. An example date-time string is “1985-10-21T01:21:00Z”.

I think the paragraph is fairly clear but first sentence could be better: we want to support only this very specific format of the ISO8601 not the whole iso8601 spec.

As for the implementation, I think the helper idea is good. I don’t think the replace() call in the example is needed: the strptime format used does not allow for a timezone at all.

1reaction

joshuaglcommented, Aug 24, 2020

The dateutil usage in securesystemslib does not appear to be necessary, so I created a PR to remove it secure-systems-lab/securesystemslib#268

Top Results From Across the Web

c# convert datetime object to iso 8601 string - Stack Overflow

I'm trying to convert a DateTime object to a ISO8601 string but keep getting wrong results. I've looked around on stackoverflow, ...

soffes/ISO8601: ISO8601 date parser and writer - GitHub

Fast ISO8601 date parser and writer for iOS & Mac. Installation. Carthage is the recommended way to install ISO8601. Add the following to...

How do I get an ISO 8601 date in string format in Python?

ISO 8601 is a date and time format which helps to remove different forms ... Epoch is the starting point of time and...

Docs - Moment.js

The current specification defines parsing a variation of ISO 8601 strings, where date-only forms (like "2020-09-14" ) are parsed as UTC, instead of...

Info on ISO 8601, the date and time representation standard

Writing date and time in some programming languages; Language dependent notations; Links to more information. Background: some problems. There ...