spec version incompatibility #1751
Assignees
Labels
1.0.0 blockers
To be addressed before 1.0.0 release
backlog
Issues to address with priority for current development goals
Milestone
Comments
|
hmm looks like their newer metadata has |
Thanks for filing the issue. Can you point to the metadata files?
I would say so, yes, although I'm not sure how many people actually use the original python-tuf implementation. |
|
metadata generated with go-tuf (so for example sigstore metadata) uses "1.0" as well. |
jku
pushed a commit
to jku/python-tuf
that referenced
this issue
Jan 26, 2022
All TUF implementations used to use "1.0" as the spec version and most of them have never modified that value since. Accept two-digit spec_version for legacy compatibility: it is strictly speaking against the current spec (which requires semver) but there should be no harm in doing this and it allows us to deserialize metadata generated by e.g. go-tuf. Fixes theupdateframework#1751 Signed-off-by: Jussi Kukkonen <[email protected]>
jku
pushed a commit
to jku/python-tuf
that referenced
this issue
Jan 26, 2022
All TUF implementations used to use "1.0" as the spec version and most of them have never modified that value since. Accept two-digit spec_version for legacy compatibility: it is strictly speaking against the current spec (which requires semver) but there should be no harm in doing this and it allows us to deserialize metadata generated by e.g. go-tuf. Fixes theupdateframework#1751 Signed-off-by: Jussi Kukkonen <[email protected]>
jku
added
1.0.0 blockers
jku
pushed a commit
to jku/python-tuf
that referenced
this issue
Jan 26, 2022
All TUF implementations used to use "1.0" as the spec version and most of them have never modified that value since. Accept two-part spec_version for legacy compatibility: it is strictly speaking against the current spec (which requires semver) but there should be no harm in doing this and it allows us to deserialize metadata generated by e.g. go-tuf. Fixes theupdateframework#1751 Signed-off-by: Jussi Kukkonen <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
datadogs metadata contains
"spec_version": "1.0",This is currently not compatible with Metadata API (deserializating the data fails).
"1.0" seems to not be a strictly compliant spec_version (the specification says format follows semantic versioning) but we could potentially support this for backwards compat?
EDIT: also metadata generated with go-tuf (so for example sigstore metadata) looks like this.
The text was updated successfully, but these errors were encountered: