updater.py and mirror.py docs disagree on what confined_target_dirs means

[jku]

updater.py on confined_target_dirs:

  # ... In the example, the client has chosen '', which is
  # interpreted as no confinement.  In other words, the client can download
  # targets from any directory or subdirectories.  If the client had chosen
  # 'targets1/', they would have been confined to the '/targets/targets1/'
  # directory on the 'http://localhost:8001' mirror.
  repository_mirrors = {'mirror1': {'url_prefix': 'http://localhost:8001',
                                    'metadata_path': 'metadata',
                                    'targets_path': 'targets',
                                    'confined_target_dirs': ['']}}

This claim that value 'targets1/' would confine downloads to '/targets/targets1/' seems to contradict mirrors.py implementation and the example given there:

      {'url_prefix': 'http://localhost:8001',
       'metadata_path': 'metadata/',
       'targets_path': 'targets/',
       'confined_target_dirs': ['targets/snapshot1/', ...],
       'custom': {...}}

It seems targets_path must be included in confined_target_dirs for it to work.

I think the only fix needed is changing updater.py documentation to say something like

If the client had chosen ['targets/targets1/'], they would have been confined to targets named targets1/<filename> on this mirror, or in other words confined to URLs like http://localhost:8001/targets/targets1/<filename>

[jku]

The other thing this bit of documentation should make clear what confinement means with regards to subdirectories: I think currently only files directly in confined_targets_dir will match, files in subdirectories of confined_targets_dir will not.

This may make the pip implementation a little painful, depending on solution to pypi/warehouse#8487

[jku]

Closing this issue as it was filed against (what is now known as) the legacy codebase: issue seems to not be relevant anymore. Please re-open or file a new issue if you feel that the issue is revelant to current python-tuf.

More details

Current source code (and upcoming 1.0 release) only contains the modern components

• a low-level Metadata API (tuf.api) and
• tuf.ngclient that implements the client workflow,

Legacy components (e.g. tuf.client, tuf.repository_tool, tuf.repository_lib as well as the repo and client scripts) are no longer included. See announcement and API reference for more details.