Misleading / missing steps in TUTORIAL for delegated roles

[awwad]

There are a few issues here:

1. The output if you try to delegate to a delegated role can include two warnings that may be misleading, as it is not made clear in standard out that they are warnings:

   •   logger.warning(repr(target_filepath) + ' is not located in the'
      ' repository\'s targets directory: ' + repr(self._targets_directory))
     

   • A warning that indicates that the verification keys have "already been used" if they are already in the keydb for any reason (which does not require that another role already has used them).

2. The tutorial doesn't tell you how to deal with writing delegated roles, which requires that you mark the role (and timestamp and snapshot at least) as dirty, every time.

[joshuagl]

Two parts of this issue have been addressed:

• We no longer report on files not located in the repository's targets directory since merge of Adopt a consistent behavior when adding targets and paths #1008
• The tutorial was updated to recommend that users mark timestamp, snapshot, the top-level targets metadata and the new delegated role as dirty when dealing with delegated roles. Furthermore the tutorial points users to issues which seek to automate fix writeall(): Repository.writeall() may not need to write all dirty roles #964 and Repository.writeall() does not "write all" and may leave repo in inconsistent state  #958

However one item remains, a warning that indicates that the verification keys have "already been used" is still emitted. I don't think warning is the right log level for this. In what scenarios is the message useful? Could the logged message be clearer about what the impact is?

[lukpueh]

I can only guess, but I would say the original intention was to prevent someone from re-using the same key for different roles, which is a legitimate motivation. But as @awwad indicates above, the warning does not check for key re-use among roles, it just checks if the key, detached from any role, is already in the keydb (a global dictionary associated with a repository).

My assessment:

• The warning as it is right now IS NOT useful and just spams the user
• A warning that reliably informs the user about a key re-use, and it's perils WOULD BE useful
• This is a low priority issue, and I suggest we provide a proper fix in the course of a larger refactor.
• That said, I'm happy to merge a quickfix that decreases the log level, e.g. to INFO and/or changes the message to something more truthful.

[lukpueh]

Btw. thanks for updating the status of this issue, @joshuagl!

[jku]

Closing this issue as it was filed against (what is now known as) the legacy codebase: issue seems to not be relevant anymore. Please re-open or file a new issue if you feel that the issue is revelant to current python-tuf.

TUTORIAL is no longer, we have examples in examples/ directory though.

More details

Current source code (and upcoming 1.0 release) only contains the modern components

• a low-level Metadata API (tuf.api) and
• tuf.ngclient that implements the client workflow,

Legacy components (e.g. tuf.client, tuf.repository_tool, tuf.repository_lib as well as the repo and client scripts) are no longer included. See announcement and API reference for more details.