Clarify that delegations are optional

theupdateframework / specification

The Update Framework specification

https://theupdateframework.github.io/specification/

Other

368 stars 54 forks source link

Clarify that delegations are optional #157

Closed MVrachev closed 3 years ago

MVrachev commented 3 years ago

Nowhere in the spec, we clarify that "delegations" is an optional field in the targets metadata file. This is a possible reason why (at the time of writing this commit) in the TUF python reference implementation "delegations" is still a required field.

Signed-off-by: Martin Vrachev mvrachev@vmware.com

jku commented 3 years ago

the TUF python reference implementation "delegations" is still a required field.

What is this based on btw (where is it required)?

MVrachev commented 3 years ago

In the new metadata API: https://github.com/theupdateframework/tuf/blob/41f7e809fef4cfe578cd2bd96f497da74b1bce15/tuf/api/metadata.py#L690

jku commented 3 years ago

Ah right: so it's a bug in new API. Fixing that definitely does not preserve backwards compatibility (a client that assumed delegations are required by using the current API will break if the server now makes delegations optional) but that seems ok if it's in api/metadata.py...

In any case that's an implementation issue: the spec is not changing its position, it's clarifying an existing one as I see it: the definition of "signed" already has delegations in parentheses (the use of parenthesis in the spec does not seem entirely consistent but in this case I read that as meaning "optional") . LGTM.

joshuagl commented 3 years ago

Per the scope section of the spec we use keywords from RFC 2119, so we should say OPTIONAL in uppercase.

The custom field is also optional, could you add a change to address that also?

MVrachev commented 3 years ago

Superseded by #165.