Split Repository trait into local and remote components

[heartsucker]

Because we trust data once its in the local repo, and we don't need to reverify it on every fetch.

[erickt]

For repositories like FileSystemRepository, I assume we don't need to check for trickle attacks, but do you think we ought to verify the hash on every read?

[erickt]

Circling back, yes we should verify the hash on every read in FileSystemRepository. On fuchsia, we store our trusted root in a read only location, so we can cryptographically verify that all the metadata and target files are based off of our initial trusted root. Since we want to protect against an attacker being able to manipulate our mutable storage, we need to check the file is as expected when we open it up.

EphemeralRepository however does not need to verify the hash, since if an attacker can modify our TUF process's memory, then they can probably skip verification altogether.

[heartsucker]

If we want to always verify from a local repo, we can close this. Since the ephemeral repo is only used for testing, it's ok if it's not particularly efficient (not that hashing is slow, but it's an unnecessary optimization)