Document fast-forward attack recovery

Document why deleting the timestamp and snapshot files
is not needed to recover from a fast-forward attack.

Signed-off-by: Teodora Sechkova <[email protected]>

Author: sechkova

tuf/ngclient/_internal/metadata_bundle.py

@@ -243,6 +243,11 @@ def root_update_finished(self):
         if self.root.signed.is_expired(self.reference_time):
             raise exceptions.ExpiredMetadataError("New root.json is expired")
 
+        # No need to recover from fast-forward attack here since
+        # timestamp and snapshot are not loaded at this point and
+        # when loaded later will be verified with the new rotated
+        # keys.
+
         self._root_update_finished = True
         logger.debug("Verified final root.json")