Skip to content

feat(ngclient): require explicit bootstrap argument#2903

Merged
jku merged 2 commits intotheupdateframework:developfrom
1seal:hardening/require-explicit-bootstrap
Feb 19, 2026
Merged

feat(ngclient): require explicit bootstrap argument#2903
jku merged 2 commits intotheupdateframework:developfrom
1seal:hardening/require-explicit-bootstrap

Conversation

@1seal
Copy link
Contributor

@1seal 1seal commented Jan 25, 2026

Description of the changes being introduced by the pull request:

This PR makes the trust anchor choice explicit in tuf.ngclient.Updater().

  • bootstrap is now a required keyword-only argument (no default)
  • Callers must choose:
    • bootstrap=<root_bytes> (recommended: embedded/deployed trusted root)
    • bootstrap=None (explicit opt-in to using cached metadata_dir/root.json as the trust anchor)
  • The fallback now triggers only on bootstrap is None (not on falsy bytes)
  • Tests and examples are updated to pass bootstrap explicitly
  • Adds documentation guidance on secure bootstrap root storage

Migration:

  • Old implicit behavior: Updater(...)
  • Preserve old behavior explicitly: Updater(..., bootstrap=None)
  • Recommended: Updater(..., bootstrap=)

Tests:

  • python -m pytest -c pyproject.toml -q

Ref: GHSA-9pfj-pjv5-22gj

make bootstrap required and explicit: callers must pass bootstrap=<root_bytes> or bootstrap=None.

also tighten docs, examples, and tests to reflect the explicit trust anchor choice.

Signed-off-by: 1seal <security@1seal.org>
@1seal 1seal requested a review from a team as a code owner January 25, 2026 12:05
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, left a couple of suggestions. Let me know what you think.

@1seal
Copy link
Contributor Author

1seal commented Jan 30, 2026

removed the redundant root.json writes in tests where Updater(..., bootstrap=) is already passed (incl. test_updater_consistent_snapshot and other repository simulator tests). i kept the distinction for bootstrap=None: tests that require cached root still write it, and ‘no cache + bootstrap=None’ cases keep the cache absent. also renamed the INSTALLATION section to ‘Application deployment’ to clarify the context

@jku
Copy link
Member

jku commented Feb 6, 2026

Did you forget to push the branch or do I misunderstand?

@1seal
Copy link
Contributor Author

1seal commented Feb 6, 2026

yes, thanks for the reminder. removed the redundant root.json writes from test files that pass explicit bootstrap and renamed the INSTALLATION section to "Application deployment" as suggested

@jku
Copy link
Member

jku commented Feb 19, 2026

apologies for the annoyingly long review cycles at the moment.

  • the formatter is complaining (tox -e lint will check locally and ruff format tuf examples tests verify_release .github/scripts should fix it if you have ruff installed)
  • the last commit does not have signed-off-by

I can also fix these myself (and override DCO) but then we'll wait for another reviewer to have a look, let me know how you want to handle this.

…cs section

Signed-off-by: 1seal <security@1seal.org>
@1seal 1seal force-pushed the hardening/require-explicit-bootstrap branch from 8104dd7 to d5fa0b0 Compare February 19, 2026 13:47
@1seal
Copy link
Contributor Author

1seal commented Feb 19, 2026

@jku i’ve addressed both points:

  • ran ruff format on tuf examples tests verify_release .github/scripts (so tox -e lint is clean now)
  • amended the last commit to include Signed-off-by (dco)

force-pushed the updated branch to the pr. let me know if you’d prefer i avoid force-pushes and send follow-up commits instead.

Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@jku jku merged commit 9f34e0f into theupdateframework:develop Feb 19, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments