Closed jku closed 2 years ago
Nice spot. Given the current spec, I do not think the repository should make unversioned root metadata available.
AFAICT the inconsistency is because in earlier versions of the spec root was not bootstrapped out-of-band and was always (I think) TOFU. Current spec explicitly does not want root metadata to be TOFU, we [always]:(https://theupdateframework.github.io/specification/latest/#load-trusted-root)
assume that a good, trusted copy of this file was shipped with the package manager or software updater using an out-of-band process.
small inconsistency with regards to root.json versions: 6.2.1. Writing consistent snapshots states:
It is not in fact documented that client could download root without a version (client workflow only downloads versioned roots). I can see how a Trust-On-First-Use (TOFU) client initialization could use this but that is not defined in the spec.
I guess either