Merge branch 'add-detailed-workflow' of github.com:trishankkarthik/tuf into add-detailed-workflow

Author: trishankkarthik

LICENSE.txt

@@ -1,33 +1,25 @@
-        This file contains the license for TUF: The Update Framework.
+The MIT License (MIT)
 
-         It also lists license information for components and source
-                   code used by TUF: The Update Framework.
+Copyright (c) 2010 New York University
 
-             If you got this file as a part of a larger bundle,
-        there may be other license terms that you should be aware of.
-
-===============================================================================
-TUF: The Update Framework is distributed under this license:
-
-Copyright (c) 2010, Justin Samuel and Justin Cappos.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and/or hardware specification (the “Work”) to deal in the Work
-without restriction, including without limitation the rights to use, copy,
-modify, merge, publish, distribute, sublicense, and/or sell copies of the Work,
-and to permit persons to whom the Work is furnished to do so, subject to the
-following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
 The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Work.
+copies or substantial portions of the Software.
 
-THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
-OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
-ARISING FROM, OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER
-DEALINGS IN THE WORK.
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
 ===============================================================================
 Many files are modified from Thandy and are licensed under the
 following license:

SECURITY.md

@@ -1,4 +1,4 @@
-#Security
+# Security
 
 Generally, a software update system is secure if it can be sure that it knows about the latest available updates in a timely manner, any files it downloads are the correct files, and no harm results from checking or downloading files. The details of making this happen are complicated by various attacks that can be carried out against software update systems.
 
@@ -32,7 +32,7 @@ snapshot metadata, and thus new updates could never be downloaded.
 
 * **Vulnerability to key compromises**. An attacker who is able to compromise a single key or less than a given threshold of keys can compromise clients. This includes relying on a single online key (such as only being protected by SSL) or a single offline key (such as most software update systems use to sign files). 
 
-##Design Concepts
+## Design Concepts
 
 The design and implementation of TUF aims to be secure against all of the above attacks. A few general ideas drive much of the security of TUF.
 

docs/tuf-spec.txt

@@ -1,6 +1,6 @@
                       The Update Framework Specification
 
-18 May 2017
+23 May 2017
 Version 1.0 (Draft)
 
 1. Introduction
@@ -1132,11 +1132,21 @@ Version 1.0 (Draft)
    role.  When replacing root keys, an application will sign the new root.json
    file with both the new and old root keys. Any time such a change is
    required, the root.json file is versioned and accessible by version number,
-   e.g. 3.root.json. Clients update the set of trusted root keys by requesting
+   e.g., 3.root.json. Clients update the set of trusted root keys by requesting
    the current root.json and all previous root.json versions, until one is
-   found that has been signed by keys the client already trusts. This is to
-   ensure that outdated clients remain able to update, without requiring all
-   previous root keys to be kept to sign new root.json metadata. See step 1 in
+   found that has been signed by a threshold of keys that the client already
+   trusts. This is to ensure that outdated clients remain able to update,
+   without requiring all previous root keys to be kept to sign new root.json
+   metadata.
+   
+   In the event that the keys being updated are root keys, it is important to
+   note that the new root.json must at least be signed by the keys listed as
+   root keys in the previous version of root.json, up to the threshold listed
+   for root in the previous version of root.json. If this is not the case,
+   clients will (correctly) not validate the new root.json file.  For example,
+   if there is a 1.root.json that has threshold 2 and a 2.root.json that has
+   threshold 3, 2.root.json MUST be signed by at least 2 keys defined in
+   1.root.json and at least 3 keys defined in 2.root.json. See step 1 in
    Section 5.1 for more details.
 
    To replace a delegated developer key, the role that delegated to that key

tuf/client/README.md

@@ -1,4 +1,4 @@
-#updater.py
+# updater.py
 **updater.py** is intended as the only TUF module that software update
 systems need to utilize for a low-level integration.  It provides a single
 class representing an updater that includes methods to download, install, and
@@ -152,7 +152,7 @@ for target in updated_target:
   target_custom_data = target['fileinfo']['custom']
 ```
 
-###A Simple Integration Example with basic_client.py
+### A Simple Integration Example with basic_client.py
 ``` Bash
 # Assume a simple TUF repository has been setup with 'tuf.repository_tool.py'.
 $ basic_client.py --repo http://localhost:8001