should repository make unversioned root metadata available or not?

[jku]

small inconsistency with regards to root.json versions: 6.2.1. Writing consistent snapshots states:

an implementation must write both root.json and version_number.root.json because it is possible to download root metadata both with and without known version numbers.

It is not in fact documented that client could download root without a version (client workflow only downloads versioned roots). I can see how a Trust-On-First-Use (TOFU) client initialization could use this but that is not defined in the spec.

I guess either

• TOFU initialization could be mentioned as a possibility (even if not recommended)
• the requirement to offer unversioned root.json should not be there

[joshuagl]

Nice spot. Given the current spec, I do not think the repository should make unversioned root metadata available.

AFAICT the inconsistency is because in earlier versions of the spec root was not bootstrapped out-of-band and was always (I think) TOFU. Current spec explicitly does not want root metadata to be TOFU, we [always]:(https://theupdateframework.github.io/specification/latest/#load-trusted-root)

assume that a good, trusted copy of this file was shipped with the package manager or software updater using an out-of-band process.