Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identify components of client and determine how to split out client from current code base #1181

Closed
joshuagl opened this issue Oct 21, 2020 · 3 comments
Closed

Identify components of client and determine how to split out client from current code base #1181

joshuagl opened this issue Oct 21, 2020 · 3 comments
Labels
client Related to the client (updater) implementation

Comments

@joshuagl
Copy link
Member

Description of issue or feature request:

For both the pip integration, and in order to provide some semblance of support for Python 2.7 users when we proceed with the refactor (#1127), it would be very useful to have the client be installable by itself without any of the modules which are only used for a repository.

We should identify what pieces of the current code are required by the client. Can we create a branch with only the client and its dependencies? Can we adapt the current client tests to work without tuf.repository_lib and tuf.repository_tool?

The tuf updater requires at least the following modules:

  • tuf.client.updater
  • tuf.download
  • tuf.mirrors
  • tuf.sig
  • tuf.formats
  • tuf.settings
  • tuf.keydb
  • tuf.roledb
  • tuf.exceptions

Current behavior:

Client and repository code is installed as one big package

Expected behavior:

Possible to install only the client, without any modules used only by a repository
@joshuagl joshuagl added the client Related to the client (updater) implementation label Oct 21, 2020
@sechkova
Copy link
Contributor

I can try and help here, starting with a client branch with a couple of tests only and we can progress gradually.

Tests use repository_tool and repository_lib mostly to load, sign and write metadata. It seems possible to replace these calls by doing the file operations "manually" and calling directly securesystemslib.

One question is which tests should be considered client-only? Besides the obvious test_updater, the tests that import the updater module are:

test_arbitrary_package_attack.py
test_endless_data_attack.py
test_extraneous_dependencies_attack.py
test_indefinite_freeze_attack.py
test_key_revocation_integration.py
test_mix_and_match_attack.py
test_multiple_repositories_integration.py
test_replay_attack.py
test_slow_retrieval_attack.py
test_updater_new.py
test_updater.py
test_updater_root_rotation_integration.py

Should we keep one client-only version of these tests as well as one repository version or depending on the context and type of the simulated attack we can assign them to one of the two?

I kept the hard question for the end ... naming? tuf-client?

@lukpueh
Copy link
Member

lukpueh commented Nov 19, 2020

I kept the hard question for the end ... naming? tuf-client?

Hard question indeed, although in this case tuf-client seems like the obvious choice.

@sechkova sechkova mentioned this issue Nov 24, 2020
Closed
3 tasks
@jku
Copy link
Member

jku commented Jan 12, 2022

I think we have our answer now: metadata API + ngclient is the minimal set. Splitting out is likely not necessary but separate packaging would be possible

@jku jku closed this as completed Jan 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
client Related to the client (updater) implementation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[WIP] tuf-client as a standalone installation sechkova/tuf
4 participants
@jku @lukpueh @joshuagl @sechkova