ngclient: Move bootstrap root loading inside lock

Otherwise another process might delete the file underneath us

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Author: jku

tuf/ngclient/updater.py

@@ -78,7 +78,6 @@
 try:
     # advisory file locking for posix
     import fcntl
-
     def _lock_file(f: IO) -> None:
         if f.writable():
             fcntl.lockf(f, fcntl.LOCK_EX)
@@ -92,6 +91,7 @@ def _lock_file(f: IO) -> None:
         f.write(b"\0")
         f.flush()
         f.seek(0)
+
         msvcrt.locking(f.fileno(), msvcrt.LK_LOCK, 1)
 
 
@@ -152,18 +152,19 @@ def __init__(
                 f"got '{self.config.envelope_type}'"
             )
 
-        if not bootstrap:
-            # if no root was provided, use the cached non-versioned root.json
-            bootstrap = self._load_local_metadata(Root.type)
-
-        # Load the initial root, make sure it's cached
-        self._trusted_set = TrustedMetadataSet(
-            bootstrap, self.config.envelope_type
-        )
         with self._lock_metadata():
+            if not bootstrap:
+                # if no root was provided, use the cached non-versioned root.json
+                bootstrap = self._load_local_metadata(Root.type)
+
+            # Load the initial root, make sure it's cached
+            self._trusted_set = TrustedMetadataSet(
+                bootstrap, self.config.envelope_type
+            )
             self._persist_root(self._trusted_set.root.version, bootstrap)
             self._update_root_symlink()
 
+
     @contextlib.contextmanager
     def _lock_metadata(self) -> Iterator[None]:
         """Context manager for locking the metadata directory."""