Tap 14 draft pr

[abs007]

• Commits fc5bd5c to 88c140a are based around setting up a sample metadata structure inside the repository folder (which is inside repository_data) for testing

• 774a039 is for reverting repository back to its original state and 8845ebd stores the metadata inside a new TAP 14 folder

• df46e38 and 0f50945 add test functions that check inside the TAP 14 folder

• Currently working on implementing changes to the client update process inside the updater.py file

[coveralls]

Pull Request Test Coverage Report for Build 2621327940

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 20 of 20 (100.0%) changed or added relevant lines in 2 files are covered.
• 9 unchanged lines in 1 file lost coverage.
• Overall coverage decreased (-0.5%) to 97.584%

---

Files with Coverage Reduction	New Missed Lines	%
tuf/ngclient/updater.py	9	94.21%

Totals
Change from base Build 2609032759:	-0.5%
Covered Lines:	1244
Relevant Lines:	1265

---

💛 - Coveralls

[abs007]

Should I squash commits fc5bd5c to 774a039 ?

[MVrachev]

@abs007 as the changes are a lot could you chime in and explain your thoughts on the TAP 14 implementation?
Now as you have some experience with that you have a valuable perspective on that and as it seems there is no full consensus on that feature #2040 it will be good to hear your opinion.

[abs007]

So currently I along with @mnm678 and @znewman01 are working on implementing the changes to how a client would be downloading the metadata according to the format in the TAP 14 specification. This means tinkering with the updater.py file to add new functionality.

[MVrachev]

Please keep in mind that you can't just replace the value of any of the fields in the signed dictionary without re-signing the files again or the files will fail verification.

[abs007]

This I believe was made as a temporary change rather and the original state of repository_data/repository was brought back again in 774a039.

That being said, all of the metadata was copied over inside the repository_data/TAP 14/1.0.0 & repository_data/TAP 14/2.0.0 folders and metadata inside the 2.0.0 had the "spec_version" changed to 2.0.0 in a similar manner (just to show that this was metadata belonging to 2.0.0).
That seems like something I'll have to take a look at, thanks.

[jku]

I know this is still a draft but I'll leave a quick comment: I don't understand why the client needs this functionality and before this PR is made ready I would like to see a comment in #2040 that explains the real world use case: how is this useful for python-tuf users?

Background for my confusion: If a repository starts offering multiple versions of the repository, why can't clients decide to "upgrade" using a plain old software update on the client, so that the client just switches from old to new repository URL? (I'm obviously assuming that the python-tuf version used supports both versions of the spec -- but so does this proposal I think)

In practice, if a future TUF-enabled pypi.org made available a second repository using a newer TUF spec features I think it would be totally appropriate for pip, the client, to simply change the used repo URL to the new repository in a pip software update. What advantage is there in making this repository selection dynamic?

[znewman01]

Thanks for the question, will get back to you soon. But in the meantime, can we move this discussion back to the associated Issue from this PR, since you’re raising questions about the utility of the feature itself?

…

On Aug 7, 2022, at 1:10 PM, Jussi Kukkonen ***@***.***> wrote:  I know this is still a draft but I'll leave a quick comment: I don't understand why the client needs this functionality and before this PR is made ready I would like to see an issue opened that explains the real world use case: how is this useful for python-tuf users? Background for my confusion: If a repository starts offering multiple versions of the repository, why can't clients decide to "upgrade" using a plain old software update on the client, so that the client just switches from old to new repository URL? (I'm obviously assuming that the python-tuf version used supports both versions of the spec -- but so does this proposal I think) In practice, if a future TUF-enabled pypi.org made available a second repository using a newer TUF spec features I think it would be totally appropriate for pip, the client, to simply change the used repo URL to the new repository in a pip software update. What advantage is there in making this repository selection dynamic? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

[znewman01]

Great work! I have a lot of comments, but you're making progress

[znewman01]

Make this private: self._spec_version

[znewman01]

probably want self.config.supported_versions_max_length in place of "length placeholder". Need to add a line to tuf/ngclient/config.py as well.

[abs007]

Considering my comment above, should supported_versions_max_length have the length in bytes equivalent?

[znewman01]

Yes, it should use 'bytes' as the unit

[abs007]

What could be a possible value for supported_versions_max_length in that case?

[znewman01]

Think about an example supported-versions.json file:

{"supported_versions": ["1", "2", "3", "4"]}

That's got 45 bytes in it. So let's maybe round up to 1000 bytes? That's a pretty huge margin of error but well short of anything that could cause issues

[abs007]

What could be the approx len() of the list in case of 1000 bytes?

[znewman01]

Well, a list with 1000 elements would definitely serialize to have > 1000 bytes. The real threshold would probably be a couple hundred.

Why do you ask?

[znewman01]

I think you should just return repository_versions. We don't need to put it inside a JSON dictionary

[abs007]

From what I can understand, supported-versions.json is a JSON dictionary itself :

{ "supported_versions" : [VERSION, ...],  //From the TAP14 page

So, If I return repository_versions instead then won't that return the dictionary itself? What I was trying to do was index the [VERSION, ...] list using the supported_versions key.

[znewman01]

Oh, you're right! I misremembered the proposed update to the specification.

[znewman01]

Oh, we need to return the actual spec version too!

Maybe make the return type Tuple[Optional[str], Optional[str]].

[abs007]

How about Tuple[[str], Optional[str]] ? spec_version is supposed to be either "" or [versions, ...] whereas warning can be None.

[znewman01]

I see return (str(spec_version), warning) below, which suggests:

Tuple[str, Optional[str]].

[abs007]

Ah, I meant that, oops. Will add that then.

[znewman01]

Make sure to mention the return type, which is a little funky. When does it return the message?

[abs007]

How about?

Returns the specification version to be used and displays a warning if chosen spec_version
is lower than the highest repository version.

[znewman01]

Looks great! I might add "specification version to be used, following the rules of TAP-14"

[abs007]

Also, shouldn't I mention the return type in the function definition above and keep the docstring to just an explanation?

[znewman01]

Good point—you don't typically want to repeat the type signature in documentation. However, it's not obvious to me from reading what Tuple[str, Optional[str]] means.

There are two ways to fix that:

1. Make two NewTypes :

   SpecificationVersion = NewType('SpecificationVersion', str)
   WarningMessage = NewType('WarningMessage', str)

   so the return type becomes Tuple[SpecificationVersion, Optional[WarningMessage]]. That's self-documenting, so there's no need to repeat it in the docstring.

2. Explain what the str and Optional[str] values are in the docstring

I might actually prefer (1), because I think in the medium term we want to make a full SpecificationVersion class to encapsulate ordering (so you don't have to convert to/from int in _get_spec_version), parsing, and conversion to URL parts. However, (2) is much easier so it's fine to do that for now.

[abs007]

I'm a bit confused. If SpecificationVersion would essentially be derived from str then won't there be TypeError be thrown when I'm still comparing it with latest_repo_version and performing int type functions on it?

[znewman01]

Right—if you just make SpecificationVersion as a NewType, you can't compare them directly. It's the same as what you have now.

Eventually, you'd make a full class SpecificationVersion which doesn't require conversion to/from int.

[znewman01]

Call this test_get_spec_version_supported or something. And put the comment below in a docstring.

[znewman01]

assertRaises takes an optional second argument: a message. This is really nice way to tell readers of your test code what you're checking:

self.assertRaises(exceptions.DownloadError, "4 is not a supported version").

Go through and do that for every assertRaises or assertEqual call

[abs007]

Fyi, test_get_spec_version1 now test_get_spec_version_supported doesn't pass because SUPPORTED_VERSIONS isn't defined correctly.

[znewman01]

That's fine—in fact, really test_get_spec_version should only handle major version 1. So let's update the test cases

[znewman01]

This should actually be SUPPORTED_VERSIONS = [SPECIFICATION_VERSION] for now.

[abs007]

But I'm guessing that it'll have to change and be read from the disk?

[znewman01]

No—SUPPORTED_VERSIONS is a property of the client library (that is, python-tuf).

The "last used specification version" is what we write to/read from disk.

[abs007]

Got it.

[znewman01]

Can you push changes that address my comments before marking them as resolved? Makes it easier for me to track what we've been talking about.

[abs007]

Sure. Will do that

[znewman01]

Call this just test_get_spec_version

[znewman01]

When you have this many test cases, I recommend putting them in a list:

test_cases = [
    (["1", "2", "3"], "3", ["3", "5", "6"],  "3", False),
    (["3", "5", "6"], "3", ["1", "2", "3", "4"], "3", True),
]
for repo_versions, spec_version, supported_versions, expected_version, should_have_warning in test_cases:
    actual_version, warning = _get_spec_version(...)
    self.assertEqual(actual_version, expected_version)
    self.assertEqual(bool(warning), should_have_warning)
# Do something similar for error_test_cases

[znewman01]

Then you can have a comment for each test case explaining why you have it.

[abs007]

So, should I add a msg or leave a comment? I guess doing both would be repetitive.

[znewman01]

Yeah, if you're going to put a msg in the asserts you don't need a comment.

[abs007]

My bad actually. I'll have to put comments if I'll be using the for loop.

[znewman01]

If this fails, we probably want to return ["1"]

[znewman01]

Or [""]

[abs007]

Also, should I use download_bytes() instead because afai can see, download_bytes() just uses download_file() inside of fetcher.py

[znewman01]

Oh, good call—do that!

[znewman01]

This should probably be: None

[znewman01]

Maybe check the errno:

except OSError as err:
    import errno # this should be at top, of course
    if err.errno != errno.ENOENT:
        raise
    self._spec_version = ...

[znewman01]

IMO if your ternary operator spans 3 lines, better to just do an if/else

[znewman01]

spec_version is not None or spec_version == "1" <- doesn't the latter condition imply the former? if spec_version == "1" then it's definitely not None

[znewman01]

So, we need to decide how to represent:

1. spec version 1, everything lives in the root /*
2. spec version 1, everything lives under /1/*

These should be different. I think (1) should be None and (2) should be "1".

That means we should return [None].

[znewman01]

Maybe worth checking e.status_code == 404; otherwise it could be a real error.

[znewman01]

I think it's a good idea to check that SUPPORTED_VERSIONS == ["1"]; it won't change for a long time.

[znewman01]

I think now you need to account for the None case for repository_versions

This is actually starting to get a little confusing: there's "version/path pairs" (which come from the repository versions, and then there are just "versions" (from supported versions). _get_spec_version should pick a matching (version, path) pair.

It might be worth encoding that in the type system.

[znewman01]

Or maybe even just have a function from "path" to version and use that in _get_spec_version.

[znewman01]

This is gonna be subtle when we have to worry about None too (just a warning)

[lukpueh]

#2114 claims that it supersedes this PR. Can we close here?

[abs007]

Sure