The more I think about it, the more I like Justin's idea of
addressing metadata or target by its hash.
Here is a simple change to the TUF specification that will
accommodate this idea.
(Assume that file reads and writes are exclusive; i.e. no one will
be able to write to a file that is being read, or read a file that
is being written.) The first step of updating with TUF is to
download timestamp.txt. This will remain unchanged. However, recall
that timestamp.txt will contain the hashes of release.txt. It will
then be an option for the client to download release.txt this way:
GET
http://example.com/hash?sha256=ae0d27d17c7f77983c3226f2e547322a0b0d9d34af23cd115b56322501220428
This is a signal to the TUF repository at
example.com to return a
file (release.txt in this case) with that SHA256 hash. TUF will be
agnostic with respect to the choice of key-value store used to
implement this.
Everything else from timestamp onwards should be download-able this
way. We can then keep consistent, read-only snapshots of the
repository. Eventually, the repository will run out of space to keep
new snapshots. We can use something like a "mark-and-sweep"
algorithm to preserve the contents of the latest release: walk the
latest release, mark all visited objects, delete all unmarked
objects. The last few releases may be preserved in a similar manner.
Have I missed something here? Any counterargument?