## Roadmap
-<!-- Remember to remove issues 59 and 60 during import -->
-
| Issue | Title | Urgency | Due release |
|-------|-------|---------|-------------|
-| [issue82](https://github.com/NICMx/FORT-validator/issues/82) | Reach 100% RFC 9286 compliance | <span class="urgency-critical">Critical</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/12">1.6.4</a> |
-| [issue112](https://github.com/NICMx/FORT-validator/issues/112) | Enforce same origin for RRDP files | <span class="urgency-high">High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/12">1.6.4</a> |
-| [issue113](https://github.com/NICMx/FORT-validator/issues/113) | Detect and properly respond to subtler RRDP session desynchronization | <span class="urgency-medium">Medium</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/12">1.6.4</a> |
-| [issue114](https://github.com/NICMx/FORT-validator/issues/114) | Support automatic TA key rollover | <span class="urgency-very-high">Very High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/13">1.6.5</a> |
-| [issue50](https://github.com/NICMx/FORT-validator/issues/50) | Provide prometheus endpoint | <span class="urgency-very-high">Very High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/14">1.6.6</a> |
-| [issue58](https://github.com/NICMx/FORT-validator/issues/58) | Fort's validation produces no router keys | <span class="urgency-very-high">Very High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/15">1.6.7</a> |
-| [issue74](https://github.com/NICMx/FORT-validator/issues/74) | Kill rsync if a timeout is exceeded | <span class="urgency-very-high">Very High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/16">1.6.8</a> |
+| [issue82](https://github.com/NICMx/FORT-validator/issues/82) | Reach 100% RFC 9286 compliance | <span class="urgency-critical">Critical</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/12">1.7.0</a> |
+| [issue112](https://github.com/NICMx/FORT-validator/issues/112) | Enforce same origin for RRDP files | <span class="urgency-high">High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/12">1.7.0</a> |
+| [issue113](https://github.com/NICMx/FORT-validator/issues/113) | Detect and properly respond to subtler RRDP session desynchronization | <span class="urgency-medium">Medium</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/12">1.7.0</a> |
+| [issue114](https://github.com/NICMx/FORT-validator/issues/114) | Support automatic TA key rollover | <span class="urgency-very-high">Very High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/13">1.7.1</a> |
+| [issue50](https://github.com/NICMx/FORT-validator/issues/50) | Provide prometheus endpoint | <span class="urgency-very-high">Very High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/14">1.7.2</a> |
+| [issue58](https://github.com/NICMx/FORT-validator/issues/58) | Fort's validation produces no router keys | <span class="urgency-very-high">Very High</span> | <a href="https://github.com/NICMx/FORT-validator/milestone/15">1.7.3</a> |
| [issue116](https://github.com/NICMx/FORT-validator/issues/116) | SLURM review | <span class="urgency-high">High</span> | - |
| [issue118](https://github.com/NICMx/FORT-validator/issues/118) | Implement validation re-reconsidered | <span class="urgency-high">High</span> | - |
| [issue119](https://github.com/NICMx/FORT-validator/issues/119) | Review IRIs to file names transition | <span class="urgency-high">High</span> | - |
"<a href="#--rsyncretrycount">count</a>": 1,
"<a href="#--rsyncretryinterval">interval</a>": 4
},
- "<a href="#--rsynctransfer-timeout">transfer-timeout</a>": 0,
+ "<a href="#--rsynctransfer-timeout">transfer-timeout</a>": 900,
"<a href="#rsyncprogram">program</a>": "rsync",
"<a href="#rsyncarguments-recursive">arguments-recursive</a>": [
"-rtz",
"<a href="#--httpretrycount">count</a>": 1,
"<a href="#--httpretryinterval">interval</a>": 4
},
- "<a href="#--httpuser-agent">user-agent</a>": "fort/1.6.2",
+ "<a href="#--httpuser-agent">user-agent</a>": "fort/{{ site.fort-latest-version }}",
"<a href="#--httpmax-redirs">max-redirs</a>": 10,
"<a href="#--httpconnect-timeout">connect-timeout</a>": 30,
- "<a href="#--httptransfer-timeout">transfer-timeout</a>": 0,
+ "<a href="#--httptransfer-timeout">transfer-timeout</a>": 900,
"<a href="#--httplow-speed-limit">low-speed-limit</a>": 100000,
"<a href="#--httplow-speed-time">low-speed-time</a>": 10,
"<a href="#--httpmax-file-size">max-file-size</a>": 1000000000,
"log": {
"<a href="#--logenabled">enabled</a>": true,
"<a href="#--logoutput">output</a>": "console",
- "<a href="#--loglevel">level</a>": "info",
- "<a href="#--logtag">tag</a>": "Operation",
+ "<a href="#--loglevel">level</a>": "warning",
+ "<a href="#--logtag">tag</a>": "Op",
"<a href="#--logfacility">facility</a>": "daemon",
"<a href="#--logfile-name-format">file-name-format</a>": "global-url",
"<a href="#--logcolor-output">color-output</a>": false
-.TH fort 8 "2024-08-19" "v1.6.3" "FORT validator"
+.TH fort 8 "2024-09-23" "v1.6.4" "FORT validator"
.SH NAME
fort \- RPKI validator and RTR server
.RE
.P
-.B \-\-shuffle-uris
-.RS 4
-If enabled, FORT will access TAL URLs in random order. This is meant for load
-balancing. If disabled, FORT will access TAL URLs in sequential order.
-.P
-By default, the flag is disabled.
-.P
-This flag is only relevant if the TAL lists more than one URL. Regardless of
-this flag, FORT will stop iterating through the URLs as soon as it finds one
-that yields a successful traversal.
-.P
-If the TAL lists more than one URL, the shuffle is done honoring the priority
-of the protocols (see \fB--rsync.priority\fR and \fB--http.priority\fR). i.e.
-if the HTTP protocol has a higher priority than RSYNC, then all the shuffled
-HTTP URLs will come first.
-.RE
-.P
-
.B \-\-maximum-certificate-depth=\fIUNSIGNED_INTEGER\fR
.RS 4
Maximum allowable certificate chain length. Meant to protect FORT from
will retry at most \fI--http.retry.count\fR times to fetch the file, waiting
\fI--http.retry.interval\fR seconds between each retry.
.P
-By default, the value is \fI2\fR.
+By default, the value is \fI4\fR.
.RE
.P
.RE
.P
-.B \-\-rsync.strategy=(\fIstrict\fR|\fIroot\fR|\fIroot-except-ta\fR)
-.RS 4
-\fIrsync\fR download strategy; states the way rsync URLs are approached during
-downloads. It can have one of three values:
-.IR strict ", "
-.IR root ", "
-.IB "root-except-ta" "(default value)" \fR. \fR
-.P
-.I strict
-.RS 4
-In order to enable this strategy, FORT must be compiled using the flag:
-ENABLE\_STRICT\_STRATEGY. e.g.
-\fB $ make FORT_FLAGS='-DENABLE_STRICT_STRATEGY'\fR
-.P
-RSYNC every repository publication point separately. Only skip publication
-points that have already been downloaded during the current validation cycle.
-(Assuming each synchronization is recursive.)
-.P
-For example, suppose the validator gets certificates whose caRepository access
-methods (in their Subject Information Access extensions) point to the following
-publication points:
-.P
-1. rsync://rpki.example.com/foo/bar/
-.br
-2. rsync://rpki.example.com/foo/qux/
-.br
-3. rsync://rpki.example.com/foo/bar/
-.br
-4. rsync://rpki.example.com/foo/corge/grault/
-.br
-5. rsync://rpki.example.com/foo/corge/
-.br
-6. rsync://rpki.example.com/foo/corge/waldo/
-.P
-A validator following the `strict` strategy would download `bar`, download
-`qux`, skip `bar`, download `corge/grault`, download `corge` and skip
-`corge/waldo`.
-.P
-This is the slowest, but also the strictly correct sync strategy.
-.RE
-.P
-.I root
-.RS 4
-For each publication point found, guess the root of its repository and RSYNC
-that instead. Then skip any subsequent children of said root.
-.P
-(To guess the root of a repository, the validator counts four slashes, and
-prunes the rest of the URL.)
-.P
-Reusing the caRepository URLs from the `strict` strategy (above) as example, a
-validator following the `root` strategy would download
-`rsync://rpki.example.com/foo`, and then skip everything else.
-.P
-Assuming that the repository is specifically structured to be found within as
-few roots as possible, and they contain minimal RPKI-unrelated noise files, this
-is the fastest synchronization strategy. At time of writing, this is true for
-all the current official repositories.
-.RE
-.P
-.I root-except-ta
-.RS 4
-Synchronizes the root certificate (the one pointed by the TAL) in 'strict' mode,
-and once it's validated, synchronizes the rest of the repository in 'root' mode.
-.P
-Useful if you want 'root', but the root certificate is separated from the rest
-of the repository. Also useful if you don't want the validator to download the
-entire repository without first confirming the integrity and legitimacy of the
-root certificate.
-.RE
-.RE
-.P
-
.B \-\-rsync.retry.count=\fIUNSIGNED_INTEGER\fR
.RS 4
Maximum number of retries whenever there's an error executing RSYNC.
retry it at most \fI--rsync.retry.count\fR times, waiting
\fI--rsync.retry.interval\fR seconds between each retry.
.P
-By default, the value is \fI2\fR.
+By default, the value is \fI4\fR.
.RE
.P
Default: \fI20\fR
.RE
-.B \-\-thread-pool.validation.max=\fIUNSIGNED_INTEGER\fR
-.RS 4
-Maximum number of threads that will be spawned at an internal thread pool in
-order to run validation cycles.
-.P
-When a validation cycle begins, one thread per configured TAL is utilized; once
-the whole RPKI tree of the TAL is validated, the thread is returned to the pool.
-.P
-If there are more TALs at \fI--tal\fR than \fI--thread-pool.validation.max\fR
-threads at the pool, is very likely that the validation cycles take a bit more
-of time to complete since only \fI--thread-pool.validation.max\fR threads will
-be working at the same time. E.g. if \fI--thread-pool.validation.max=2\fR and
-the location at \fI--tal\fR has 4 TAL files, only 2 TALs will be validated
-simultaneously while the rest waits in a queue until there's an available thread
-at the pool to attend them.
-.P
-By default, it has a value of \fI5\fR. Minimum allowed value: \fI1\fR,
-maximum allowed value \fI100\fR.
-.RE
-
.B \-\-asn1-decode-max-stack=\fIUNSIGNED_INTEGER\fR
.RS 4
ASN1 decoder max allowed stack size in bytes, utilized to avoid a stack
.RE
.P
-.B \-\-stale-repository-period=\fIUNSIGNED_INTEGER\fR
-.RS 4
-Deprecated; does nothing.
-.RE
-.P
-
.SH EXAMPLES
.B fort \-\-init-tals \-\-tal=/tmp/tal
.RS 4
"count": 1,
"interval": 4
},
+ "transfer-timeout": 900,
"program": "rsync",
"arguments-recursive": [
"-rtz",
"count": 1,
"interval": 4
},
- "user-agent": "fort/1.6.2",
+ "user-agent": "fort/1.6.4",
"max-redirs": 10,
"connect-timeout": 30,
- "transfer-timeout": 0,
+ "transfer-timeout": 900,
"low-speed-limit": 100000,
"low-speed-time": 10,
"max-file-size": 1000000000,
"log": {
"enabled": true,
"output": "console",
- "level": "info",
- "tag": "Operation",
+ "level": "warning",
+ "tag": "Op",
"facility": "daemon",
"file-name-format": "global-url",
"color-output": false
.P
.\".SH COPYRIGHT
-.\" FORT-validator 2021
+.\" FORT-validator 2024
.\" MIT License
.SH SEE ALSO
projects / thirdparty / FORT-validator.git / commitdiff
