hughsie
commented
1 year ago Thanks, that's useful to know. From a D-Bus API point of view we return an a{sv} so it's easy enough to add. From a requesting-using-a-uri point of view it's harder, although maybe we can redirect with ? parameters. I'll ponder, thanks.
For a client to verify a fetch, it must read a potentially unbounded amount of data in order to verify it matches the sha256 digest. If the trusted metadata is the 2-tuple
(size, sha256)then a client can error out if the remote gives it more thansizebytes. For OCI/Docker containers, the metadata today includes both. In ostree, it doesn't, and I regret it.