updater: Improve comments on bootstrap arg

This includes some minor example improvements Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2026-05-24 10:08:28 +00:00 · 2025-01-11 14:44:09 +02:00 · 2025-01-11 14:44:09 +02:00 · 38e4eaba1f
commit 38e4eaba1f
parent c4cd7935e3
2 changed files with 16 additions and 6 deletions
--- a/examples/client/client
+++ b/examples/client/client
@ -30,7 +30,11 @@ def build_metadata_dir(base_url: str) -> str:

 def init_tofu(base_url: str) -> bool:
    """Initialize local trusted metadata (Trust-On-First-Use) and create a
-    directory for downloads"""
+    directory for downloads
+
+    NOTE: This is unsafe and for demonstration only: the bootstrap root
+    should be deployed alongside your updater application
+    """

    metadata_dir = build_metadata_dir(base_url)

@ -81,6 +85,9 @@ def download(base_url: str, target: str) -> bool:
        os.mkdir(DOWNLOAD_DIR)

    try:
+        # NOTE: initial root should be provided with ``bootstrap``  argument:
+        # This examples uses unsafe Trust-On-First-Use initialization so it is
+        # not possible here.
        updater = Updater(
            metadata_dir=metadata_dir,
            metadata_base_url=f"{base_url}/metadata/",
@ -112,7 +119,7 @@ def download(base_url: str, target: str) -> bool:
    return True


-def main() -> None:
+def main() -> str | None:
    """Main TUF Client Example function"""

    client_args = argparse.ArgumentParser(description="TUF Client Example")
@ -177,6 +184,8 @@ def main() -> None:
    else:
        client_args.print_help()

+    return None
+

 if __name__ == "__main__":
    sys.exit(main())
--- a/tuf/ngclient/updater.py
+++ b/tuf/ngclient/updater.py
@ -12,7 +12,8 @@
 High-level description of ``Updater`` functionality:
  * Initializing an ``Updater`` loads and validates the trusted local root
    metadata: This root metadata is used as the source of trust for all other
-    metadata.
+    metadata. Updater should always be initialized with the ``bootstrap``
+    argument: if this is not possible, it can be initialized from cache only.
  * ``refresh()`` can optionally be called to update and load all top-level
    metadata as described in the specification, using both locally cached
    metadata and metadata downloaded from the remote repository. If refresh is
@ -75,9 +76,9 @@ class Updater:
            download both metadata and targets. Default is ``Urllib3Fetcher``
        config: ``Optional``; ``UpdaterConfig`` could be used to setup common
            configuration options.
-        bootstrap: ``Optional``; initial root metadata. If a boostrap root is
-            not provided then the root.json in the metadata cache is used as the
-            initial root.
+        bootstrap: ``Optional``; initial root metadata. A boostrap root should
+            always be provided. If it is not, the current root.json in the
+            metadata cache is used as the initial root.

    Raises:
        OSError: Local root.json cannot be read