A simple software updater, built on top of python-tuf, the reference implementation for TUF (The Update Framework).
The notsotuf
package was inspired by PyUpdater.
A detailed discussion of the intricacies of TUF implementation can be found in PEP458.
Borrowing tuf
terminology, we have tools for the repository (repo) side and tools for the client side.
The repo tools are used by the app developer to:
- create update files (e.g. using PyInstaller)
- sign the resulting files (cryptographically)
- deploy these files to a server
The client tools are used by the app itself to:
- check for updates
- download update files
- apply the update files
The tuf
package is used under the hood to check for updates and download update files in a secure manner, so notsotuf
can safely apply the update.
See the tuf docs for more information.
Notsotuf works with archives (gzipped PyInstaller bundles) and patches (binary differences between subsequent archives).
Archive files (and patch files) are named according to PEP440 version specifications.
Each archive (except the first one) has a corresponding patch file, with the matching filename but different extension (.patch
vs .gz
).
Patches are typically smaller than archives, so the notsotuf client will always attempt to update using one or more patches. However, if the total amount of patch data is greater than the desired full archive file, a full update will be performed.
If you have a working update framework built around PyUpdater, here's how you could migrate to notsotuf
:
- Add
notsotuf
to your main application environment as a core dependency, and movepyupdater
from core dependencies to development dependencies. - Replace all
pyupdater
client code (and configuration) in your application by thenotsotuf
client. - Build, package, and sign using
pyupdater
, and deploy to your server, as usual. This will ensure yourpyupdater
clients currently in the field will be able to update to the newnotsotuf
client. From here on, new updates will be deployed usingnotsotuf
. - Set up your
notsotuf
repository (on the same server or another server), but keep thepyupdater
repository in place as long as necessary to allow all clients to update. - From now on, build, package, sign and deploy using
notsotuf
, as described elsewhere in this document.