Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Add more text describing threshold computation#154

Merged
mnm678 merged 4 commits intotheupdateframework:mastertheupdateframework/specification:masterfrom
joshuagl:joshuagl/calculate-thresholdjoshuagl/specification:joshuagl/calculate-thresholdCopy head branch name to clipboard
Aug 17, 2023
Merged

Add more text describing threshold computation#154
mnm678 merged 4 commits intotheupdateframework:mastertheupdateframework/specification:masterfrom
joshuagl:joshuagl/calculate-thresholdjoshuagl/specification:joshuagl/calculate-thresholdCopy head branch name to clipboard

Conversation

@joshuagl
Copy link
Member

@joshuagl joshuagl commented Apr 12, 2021

Add some additional text to each "Check for an arbitrary software attack" section describing threshold computation, in an attempt to help TUF implementers avoid falling into the trap of a naive implementation of threshold counting resulting in incorrect, security affecting, behaviour.

Further enhance this guidance by recommending, in "File formats", that the signatures list only contain one signature per keyid.

This kind of detail will be easier to add in a much clearer way once we rewrite the workflow to call out to subsections (#121), however I wanted to add this information as soon as possible because we continue to see implementers falling into the same trap:

@joshuagl joshuagl mentioned this pull request Apr 12, 2021
Closed
mnm678
mnm678 previously approved these changes Apr 16, 2021
View reviewed changes
Copy link
Collaborator

@mnm678 mnm678 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the clarification, hopefully this will help prevent future threshold mistakes.

This is related to another approach to this problem in #155, though the approach there would require a breaking change.

@joshuagl joshuagl force-pushed the joshuagl/calculate-threshold branch from c6a3f8c to a98c6a5 Compare May 28, 2021 14:34
@joshuagl
Copy link
Member Author

joshuagl commented May 28, 2021

Rebased on the latest master with a new version and date added. Please take a look @trishankatdatadog @mnm678

mnm678
mnm678 previously approved these changes May 29, 2021
View reviewed changes
trishankatdatadog
trishankatdatadog reviewed May 29, 2021
View reviewed changes
tuf-spec.md Outdated Show resolved Hide resolved
tuf-spec.md Show resolved Hide resolved
tuf-spec.md Outdated Show resolved Hide resolved
@joshuagl joshuagl force-pushed the joshuagl/calculate-threshold branch from a98c6a5 to 215d10b Compare April 14, 2023 14:02
@joshuagl
Copy link
Member Author

joshuagl commented Apr 14, 2023

Almost two years later !? 🙊 I've managed to add some more text in an attempt to address @trishankatdatadog's concerns. I rebased on the latest changes and updated version and date.

With the current version and date in the commit this PR SHOULD follow #272

@joshuagl joshuagl force-pushed the joshuagl/calculate-threshold branch from 215d10b to f1b6165 Compare June 2, 2023 11:14
joshuagl and others added 4 commits August 17, 2023 12:12
@joshuagl
Add signature threshold computation advice
c06c4d5 
Several implementations have made similar errors -- counting multiple
signatures by the same keyid -- when implementing signature threshold
computation, for example the reference implementation:
GHSA-pwqf-9h7j-7mv8
theupdateframework/python-tuf@83ac7be

Add some extra description to the detailed client workflow to further
explain that a threshold of signatures should only count one signature
per key.

Signed-off-by: Joshua Lock <jlock@vmware.com>
@joshuagl
Recommend signatures only contain one sig per keyid
f005792 
In an attempt to help implementers protect against incorrect threshold
computation, update "File formats" to suggest that the signatures list
contain only a single signature per keyid at metadata creation time.

Suggested-by: Jussi Kukkonen <jkukkonen@vmware.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
@joshuagl
Address review comments
48120a6 
Be more explicit that each KEYID can only count one signature towards the
threshold.

Signed-off-by: Joshua Lock <joshuagloe@gmail.com>
@joshuagl
Bump version and date
ec2e1ac 
Signed-off-by: Joshua Lock <joshuagloe@gmail.com>
@joshuagl joshuagl force-pushed the joshuagl/calculate-threshold branch from f1b6165 to ec2e1ac Compare August 17, 2023 11:12
@joshuagl
Copy link
Member Author

joshuagl commented Aug 17, 2023

I'd love to get this PR off my backlog, any chance of some reviews @trishankatdatadog, @mnm678 and @lukpueh ?

lukpueh
lukpueh approved these changes Aug 17, 2023
View reviewed changes
Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@joshuagl joshuagl mentioned this pull request Aug 17, 2023
Open
@mnm678 mnm678 merged commit c51875f into theupdateframework:master Aug 17, 2023
@joshuagl joshuagl deleted the joshuagl/calculate-threshold branch August 18, 2023 06:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukpueh lukpueh lukpueh approved these changes

@mnm678 mnm678 mnm678 approved these changes

+1 more reviewer

@trishankatdatadog trishankatdatadog trishankatdatadog left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@joshuagl @lukpueh @mnm678 @trishankatdatadog
Morty Proxy This is a proxified and sanitized view of the page, visit original site.