mnm678
commented
10 months ago Thanks for the question!
Based on discussion in the Uptane Standards meeting, as the time source is not specified by Uptane, we will leave the choice of what counts as a "fatal" error" of the time source up to the implementation. This can be based on knowledge about the time source (such as reliability, whether there is a backup source of time, etc). We will update this in the text to clarify that if such a fatal error occurs, the update should not continue.
New text ideas:
- "If all steps are completed without fatal error..."
- "If the time checking process fails fatally..."
lorchrob
tkfu
To my reading, sections 3.1.1.1 and 3.1.1.3 seem to offer diverging advice as to how a primary ECU should handle a failure to verify the latest time from an external time source. In 3.1.1.1, it says “If it [primary ECU] fails to meet this [verification] criteria, discard the response and continue the procedure without an updated time”. However, 3.1.1.3 says “If any check fails, the ECU SHOULD NOT overwrite its current attested time, but SHOULD jump to the last step …”.
To make things consistent, any of the following changes could be made:
Any thoughts?