In Docker Notary before 0.1, the checkRoot function in gotuf/client/client.go does not check expiry of root.json files, despite a comment stating that it does. Even if a user creates a new root.json file after a key compromise, an attacker can produce update files referring to an old root.json file.
{ "binaries": [ { "binary_name": "golang-github-docker-notary-dev", "binary_version": "0.1~ds1-1" }, { "binary_name": "notary", "binary_version": "0.1~ds1-1" }, { "binary_name": "notary-dbgsym", "binary_version": "0.1~ds1-1" } ], "availability": "No subscription required", "ubuntu_priority": "untriaged" }