Metadata Attribute research: Threshold

[MVrachev]

This issue aims to document thoughts about the Threshold attribute from the root and targets roles and more precisely in our implementation Role and DelegatedRole classes.
The goal is to understand how we use that attribute, what might go wrong with it and how we can validate it.

We want to answer/address the following 6 questions/points based on my comment here:

1. How do we use it?
2. What might go wrong?
3. Rethink how we store it?
4. If, after the changes in step 3 there are concerns, then add a validation function
5. Make the necessary changes for points 1 - 4, think and propose a way to integrate it into the class/classes (decorators, descriptors, etc.)
6. create a pr for all additional changes on top of the validation functions

PS: The 7-th point is covered by documenting this issue.

[MVrachev]

1. How do we use it?

• Initialization in Role.__init__ and DelegationRole.__init__ (still in DelegationRole we call Role.__init__ for threshold).
• Then after initialization, in MetadataBundle.verify_with_threshold and in pr Metadata API: Implement threshold verification #1436 we are using threshold as a read-only constant.

2. What might go wrong?

• Passing a threshold below 1.

3. Rethink how we store it?

• We are initializing it from one place so probably there is no sense in making it a property.

4. If, after the changes in step 3 there are concerns, then add a validation function

• No need.

5. Make the necessary changes for points 1 - 4, think and propose a way to integrate it into the class/classes (decorators, descriptors, etc.)

• No need.

6. create a pr for all additional changes on top of the validation functions

• Should be added. We can add validation only in Role.__init__ because it's called when creating both Role and DelegationRole.

Would love to hear @jku opion.

[jku]

Then after initialization, in MetadataBundle.verify_with_threshold and in pr #1436 we are using threshold as a read-only constant.

once we get to repository-side code, Role and DelegatedRole will be modified though: threshold and keyids do potentially change. Not much thought has been put into this yet (possibly we want more API than add_key()/remove_key())... I think it's fine to implement validation based on current use -- if we don't know what the modifying API looks like we can't really validate that.

[jku]

once we get to repository-side code, Role and DelegatedRole will be modified though: threshold and keyids do potentially change. Not much thought has been put into this yet (possibly we want more API than add_key()/remove_key())... I think it's fine to implement validation based on current use -- if we don't know what the modifying API looks like we can't really validate that.

One alternative to this is to consider Role and DelegatedRole immutable objects: when repository code wants to change keys or threshold of a role, it should just add/remove/replace the complete role instead of modifying the keys/threshold in the role. This way it would be easier to ensure that e.g. the delegation keys includes the keys (and only the keys) that are actually used by current delegation roles.

Regardless, i don't think this should affect what you do to threshold within the Role object: what you're planning seems fine.

[MVrachev]

I think mentally I always considered Key as an immutable object.
As you pointed out: because we are not sure what modification API do we want to add we can only verify what we know.
Will submit a pr verifying only the simplest case - that threshold is more than 1.