Metadata API: Document serialization "repro" issue

It's not obvious to casual reader that reading metadata and then writing it might not always produce the same file. It's also not immediately obvious why this matters. Document both concepts. Fixes #1392 Signed-off-by: Jussi Kukkonen <[email protected]>
theupdateframework · Feb 1, 2022 · ca9300c · ca9300c
1 parent 6c1dfce
commit ca9300c
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -232,6 +232,13 @@ def to_bytes(
     ) -> bytes:
         """Return the serialized TUF file format as bytes.
 
+        Note that if bytes are first deserialized into ``Metadata`` and then
+        serialized with ``to_bytes()``, the two are not guaranteed to be the
+        same because of whitespace issues, even if the signatures are
+        guaranteed to stay valid. If byte-for-byte equivalence is required
+        (which is the case when content hashes are used in other metadata),
+        the original content should be used instead of re-serializing.
+
         Arguments:
             serializer: A MetadataSerializer instance that implements the
                 desired serialization format. Default is JSONSerializer.
@@ -265,6 +272,13 @@ def to_file(
     ) -> None:
         """Writes TUF metadata to file storage.
 
+        Note that if a file is first deserialized into ``Metadata`` and then
+        serialized with ``to_file()``, the two files are not guaranteed to be
+        the same because of whitespace issues, even if the signatures are
+        guaranteed to stay valid. If byte-for-byte equivalence is required
+        (which is the case when file hashes are used in other metadata),
+        the original file should be used instead of re-serializing.
+
         Arguments:
             filename: The path to write the file to.
             serializer: A MetadataSerializer instance that implements the