Skip to content

ngclient: Increase default max_root_rotations #2675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 17, 2024
Merged

ngclient: Increase default max_root_rotations #2675

merged 1 commit into from
Jul 17, 2024

Conversation

@jku
Copy link
Member

@jku jku commented Jul 17, 2024
edited
Loading

this configuration variable controls how many root versions the client will upgrade in a single refresh(). The idea is to prevent a malicious repository from filling the disk with root versions.

We want a number that is high enough that a repository should not have made that many roots in the time that clients take to update the "embedded" root that the client shipped with.

32 is small enough that a repository could possibly reach it while clients with v1 embedded in them are still in use. Let's bump to 256: this should be plenty.

Fixes #2672

@jku
ngclient: Increase default max_root_rotations
6eaf405 
this configuration variable controls how many root versions
the client will upgrade in a single refresh(). The idea is to prevent
a malicious repository from filling the disk with root versions.

We want a number that is high enough that a repository should not have
made that many roots in the time that clients take to update the "embedded"
root that the client shipped with ship with.

32 is small enough that a repository could reach it while clients with
v1 embedded in them are still in use. Let's bump to 256: this should be
plenty.

Signed-off-by: Jussi Kukkonen <[email protected]>
@coveralls
Copy link

coveralls commented Jul 17, 2024

Pull Request Test Coverage Report for Build 9971250791

Details

  • 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 96.805%
Totals Coverage Status
Change from base Build 9952569195: 0.0%
Covered Lines: 1554
Relevant Lines: 1591
💛 - Coveralls

@jku jku merged commit 4d2ff8d into theupdateframework:develop Jul 17, 2024
@jku jku deleted the bump-max-root-rotations branch December 30, 2024 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukpueh lukpueh lukpueh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

max root rotations is way too small

3 participants

@jku @coveralls @lukpueh