[TUF] 5.5. Update the snapshot role - How would you recall a target file

[dbrassard]

Hi,

the Update Snapshot Role process mention: 

"Furthermore, any targets metadata filename that was listed in the trusted snapshot metadata file, if any, MUST continue to be listed in the new snapshot metadata file."

What would be the process if we want to recall a file?

From my understanding we cannot remove the file from the snapshot metadata file otherwise the client will discard the new snapshot metadata file. 

Those files need to stay in the repository and would have to filter them in our implementation.

Thanks,

Denis

[Jussi Kukkonen]

Hi Denis,

There's some details to notice here:

1. You do not need to remove the targets metadata filename from snapshot to make that targets metadata 100% inoperative: Once you remove the _delegation_ to that role, clients will never end up loading that metadata.
2. If the issue is content in the targets metadata file (let's imagine the targetpaths leaked some information that should not have been leaked), you can of course remove the actual metadata file after doing step 1 above (this is fine since clients will never try to download it since it's no longer part of the delegation tree)

Finally, for completeness: you can remove targets metadata filenames from snapshot if you also replace snapshot keys (this is a side effect of the fast-forward recovery in 5.3.11). I would not recommend doing this unless snapshot has somehow grown far too large.

HTH, Jussi

[Denis Brassard]

Thank you both for the clarification.

Denis

--
You received this message because you are subscribed to a topic in the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/theupdateframework/diTcSZ_zSgw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to theupdateframew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/90fc734b-fd4d-421e-a292-f8017879a499n%40googlegroups.com.

[Justin Cappos]

One other situation to be aware of here is that if you bump the targets file to a higher version, the old one also is inaccessible / can be removed.

Thanks,

Justin

--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.

[Denis Brassard]

Right, I was confused with the target metadata and the actual target file.
It makes more sense to me now.

You received this message because you are subscribed to a topic in the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/theupdateframework/diTcSZ_zSgw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to theupdateframew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/CAMVss_rNQE61BP1vgVYs7zRa%3DmM%3DdO7M%3DnJfxOTBAgSAyZsGcw%40mail.gmail.com.

[Trishank Kuppusamy]

On Thu, 12 Oct 2023 at 16:36, Denis Brassard <denisb...@gmail.com> wrote:

Right, I was confused with the target metadata and the actual target file.
It makes more sense to me now.

(Incidentally, we should rename "targets" to "artifacts", the same way we renamed "release" to "snapshot".) 

--

• Calendly
• Doodle
• GitHub
• Keybase
• LinkedIn