Skip to content

feat(ngclient): require explicit bootstrap argument#2903

Open
1seal wants to merge 1 commit intotheupdateframework:developfrom
1seal:hardening/require-explicit-bootstrap
Open

feat(ngclient): require explicit bootstrap argument#2903
1seal wants to merge 1 commit intotheupdateframework:developfrom
1seal:hardening/require-explicit-bootstrap

Conversation

@1seal
Copy link

@1seal 1seal commented Jan 25, 2026

Description of the changes being introduced by the pull request:

This PR makes the trust anchor choice explicit in tuf.ngclient.Updater().

  • bootstrap is now a required keyword-only argument (no default)
  • Callers must choose:
    • bootstrap=<root_bytes> (recommended: embedded/deployed trusted root)
    • bootstrap=None (explicit opt-in to using cached metadata_dir/root.json as the trust anchor)
  • The fallback now triggers only on bootstrap is None (not on falsy bytes)
  • Tests and examples are updated to pass bootstrap explicitly
  • Adds documentation guidance on secure bootstrap root storage

Migration:

  • Old implicit behavior: Updater(...)
  • Preserve old behavior explicitly: Updater(..., bootstrap=None)
  • Recommended: Updater(..., bootstrap=)

Tests:

  • python -m pytest -c pyproject.toml -q

Ref: GHSA-9pfj-pjv5-22gj

@1seal
feat(ngclient): require explicit bootstrap argument
c49bdb9 
make bootstrap required and explicit: callers must pass bootstrap=<root_bytes> or bootstrap=None.

also tighten docs, examples, and tests to reflect the explicit trust anchor choice.

Signed-off-by: 1seal <security@1seal.org>
@1seal 1seal requested a review from a team as a code owner January 25, 2026 12:05
jku
jku reviewed Jan 30, 2026
View reviewed changes
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, left a couple of suggestions. Let me know what you think.

tests/test_updater_consistent_snapshot.py

# Init trusted root with the latest consistent_snapshot
with open(os.path.join(self.metadata_dir, "root.json"), "bw") as f:
f.write(sim.signed_roots[-1])
Copy link
Member

@jku jku Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this could maybe be removed now that _init_updater() does the right thing?

This probably applies to most test files using the repository simulator

docs/INSTALLATION.rst
python3 -m pip install -r requirements/dev.txt


Bootstrap root metadata
Copy link
Member

@jku jku Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is otherwise mostly about developer installs... Maybe we could rename this section to "Application deployment" or something to make it clearer that this is another subject completely?

@1seal
Copy link
Author

1seal commented Jan 30, 2026

removed the redundant root.json writes in tests where Updater(..., bootstrap=) is already passed (incl. test_updater_consistent_snapshot and other repository simulator tests). i kept the distinction for bootstrap=None: tests that require cached root still write it, and ‘no cache + bootstrap=None’ cases keep the cache absent. also renamed the INSTALLATION section to ‘Application deployment’ to clarify the context

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jku jku jku left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@1seal @jku