GNOME Bugzilla – Bug 748220
Detached metadata updates not fetched
Last modified: 2015-04-23 23:59:54 UTC
In working on GPG features for OSTree there's been a few occasions where I've forgotten to sign a newly-composed tree before pulling from an atomic host. If GPG verification is enabled on the OSTree remote, this isn't a problem because the pull fails until I sign the tree. But otherwise the pull completes. If I then sign the commit and pull again with GPG verification disabled, the new signatures are never fetched because as far as the client-side can tell it's up-to-date. Perhaps more generally, detached metadata updates are not detected during pulls. Should they be? It seems so, at least in the GPG case. I know detached metadata doesn't figure into commit checksums, and it would be premature to suggest a solution since I'm still grokking the details of pulls. What are your thoughts? Legit bug?
I'd say let's re-fetch detached metadata on every pull request. (If we wanted to optimize things slightly we could start to implement proper caching by recording ETag/If-Modified-Since and such, but eh..it's going to be small).
Sounds easy enough. I'll cook up a patch.
https://github.com/GNOME/ostree/pull/94
Fixed in https://git.gnome.org/browse/ostree/commit/?id=9c449624f23408541a7194499f1d5762cb2cf5d9