ngclient RequestsFetcher: make timeout part of the public API #2268
Description
Description of issue or feature request:
TrustUpdater in the ngclient APIs can be given a RequestsFetcher to use or, if one is not supplied, will construct a default one.
RequestsFetcher in turn has a default socket timeout (via self.socket_timeout) of 4 seconds, per TUF's mitigations against "slow retrieval"-style attacks.
Unfortunately, this timeout might be too conservative for some real-world network scenarios: CI providers like GitHub Actions will occasionally de-prioritize network traffic, causing failures in tools like sigstore-python that use TUF to bootstrap their roots of trust.
We have a temporary workaround for this as part of sigstore/sigstore-python#432, where we plan to use a timeout of 30s (under the operating theory that this is more than acceptably permissive for GitHub Actions and other CI providers, but still short enough/a hard-failing error mode.) However, that patch requires us to import an _internal API and set an attribute directly, which isn't ideal 🙂
Current behavior:
RequestFetcher is a private API.
Expected behavior:
RequestFetcher becomes part of the ngclient public API surface, and (optionally) has a kwarg in its constructor for configuring the socket_timeout. The current approach of just modifying the attribute is also perfectly fine, given that it isn't currently marked as private.