Confirm terminating roles logic from spec #168
Comments
|
Thanks, Ted! There's still one point of confusion here: the term/non-term labels should apply to the edges, not the nodes. However, I think your interpretation is correct, as per the spec and the Diplomat paper. From simulating the code on this graph in my head, I think my tuf-on-a-plane code would correctly not explore E, but would incorrectly explore F. Any disagreements, @mnm678 and @JustinCappos? |
|
IOW: once you see a terminating delegation anywhere in the graph, the rest of the graph is completely pruned. |
|
There are two ways of interpreting terminating delegations: global vs local pruning. Only one of them is the intended/correct interpretation. |
|
I'm not one of the original authors, but my interpretation of the spec and the Diplomat paper matches the expected outcome suggested here. |
|
I agree this interpretation is correct. I'm also curious what everyone thinks should happen if there is a threshold delegation to A and F as well. Certainly that is worth a test case... |
I read it the same. The loop will need to propagate that there was a terminating delegation up to previous iterations in order to correctly not explore F. It looks like the reference implementation handles this correctly by breaking out of the for loop here (I didn't check the new client).
In that case, I'd argue that F should be explored (and required for the threshold). But I don't think this behavior is well-defined in the spec. |
By threshold delegation, you mean multirole delegation? Agree with @mnm678 that if min_roles_in_agreement >=1 (which I assume is always the case), then, yes, it should backtrack from A and check F, despite any terminating delegation from A. Agree that the spec is underspecified with respect to TAP 3. Also need to think about whether there is any contradiction between terminating delegations and TAP 3. |
|
The spec states that
Which by a literal reading does contradict TAP 3. I don't think TAP 3 is supported by 1.0 of the specification, but this is something we should figure out before adding it. |
In particular, I'd like to see concrete pseudocode added to the spec. Otherwise, readers are likely to get confused. |
|
Thanks everyone for the confirmation. I working on fixing our implementation increasing our test coverage for different cases here php-tuf/php-tuf#216 If anyone is interested we test our client implementation by creating test fixtures with a We then make test case for a given test fixture and given target, whether it should be found and which metadata files the client should retreive/evaluate to determine this. Like this case for role "F" in the example not finding a target because of terminating delegation in "B" https://github.com/php-tuf/php-tuf/blob/tedbow-fix_terminating_2/tests/Client/UpdaterTest.php#L653 |
In https://github.com/php-tuf/php-tuf we are making sure we have the logic correct around terminating delegations. As we have updated our implementation of the spec from v1.0.9(the release when we started) to the most recent releases we have notice there has been some changes to wording in this area of the spec.
To make sure we get the logic correct for terminating delegations I have created this simple example to make sure our assumptions are correct(actually we don't all have same assumptions these are mine)
Constraints
term = terminating delegation
non-term = non terminating delegation
Priority: The roles in each level are ordered from left to right in the order they would appear under
[delegations][roles]All roles have
paths = [‘assets/*’](just to provide matches for every role only focus on terminating logic now)Target being searched for = 'assets/always-match.txt’
Expected outcome
Expected role evaluation:
Targets -> A > B > C > D
Am I correct?
The text was updated successfully, but these errors were encountered: