Packages are hosted in repositories based on The Update Framework{:.external} (TUF). This framework is a specification designed to enable secure delivery of software updates. TUF repositories secure updates through signed metadata attached to records that are verifiable against known trusted public and private keys. This means that any HTTP server can serve a TUF repository without the need for transport-level security, including a developer's workstation!
Packages within a repository are identified by a URL with the fuchsia-pkg scheme:
fuchsia-pkg://{{ '<var>' }}repo-hostname{{ '</var>' }}/{{ '<var>' }}pkg-name{{ '</var>' }}#{{ '<var>' }}resource-path{{ '</var>' }}
repo-hostname: Hostname of a trusted package repository, such as fuchsia.com.pkg-name: Unique identifier for the package in this repository.resource-path: Resource contained within the package, such as a component manifest.![Diagram showing how packages are resolved from a TUF repository and cached locally on the device.] (/docs/get-started/images/intro/package-resolver.png){: width=“751”}
Requests for software on a Fuchsia device are handled by the package resolver. The package resolver determines if the system already has the package cached locally. If not, the resolver fetches the meta.far from the repository and updates the necessary content BLOBs.