SRC_URI instead of git fetch #53
Comments
|
But git also controls verification... |
|
No. It does not. Proof: In general, imagine you are to retrieve sources from somewhere and want to make sure you will get what you expect. If you don't have any form of hash or signature before retrieval, then it is mathematically impossible to verify that what you get is what you expect. In other words if you have no hash beforehand, then you don't know what data you expect. You are probably right that git does some verification, but not the kind we need. It probably just verifies that what you have on your disk after the fetch is the same as what resides in the remote repo at that time. Such a check is nice to have to prevent some data traffic corruption, but not what we need from security perspective. We need a hash verification with some hash we know before we commence the fetch. An example of an attack to illustrate some risks: The kind of verification we need is to make sure that absolutely all the users get always the same sources for a given ebuild version, and this cannot happen unless there is a hash of the source in the Manifest file. |
|
The ebuilds used to use SRC_URI with the source package being directly taken from the Pale Moon archives. This was changed because of a couple of reasons. At first, there was no GitHub release and the official source package had broken permissions (I think it still does). After some time they started using GitHub release packages and I switched to those (See this commit). Unfortunately they weren't consistent. I don't know if it was the Pale Moon developers' fault or GitHub's, but the checksum failed quite often and the Manifest had to be updated every time. No complaints were made in that regard once I switched to directly pulling the version tags from git. It still sometimes occurs when changes are made to the language packs, but that doesn't happen nearly as often. You raise legitimate concerns, but if going back to using GitHub release packages would mean going back to inconsistent packages to redownload and check every time, then it's probably not worth it in the face of the possibility that the Pale Moon GitHub repository could be compromised. Also, I think that that eventuality could be mitigated by starting to check commit hashes. Just a couple of things though:
I think portage should fetch into All this said, I guess we could test the GitHub release packages once again and see how it goes, but if it starts causing broken Manifests all over again we'll come back to git-r3. Oh by the way, when you want to paste code you should put it between `s (inline) or ```s (multi-line) to not have GitHub screw up the formatting. |
|
Direct usage of VCS clone/fetch system, with proper eclass assistance, is good for live ebuilds (btw don't see palemoon-9999 there :) ). As for release ebuilds... they usually set SRC_URI to archived tarballs or, if hosting allowes (as github), special url, which fetches zip archive for specific commit. Files under git control are signed by definitition (by git). |
|
Actually I didn't realise I could fetch a zip archive for a specific commit with GitHub. |
|
Unfortunately that doesn't seem to be a solution either. Having a thin Manifest really wouldn't help. From my understanding, that would only cause the files in this repository, so the ebuilds, not to be signed in the Manifest. The problems are really the files outside of it. |
|
Even one more thing which works only with SRC_URI and is broken by git fetch is using Tor: https://wiki.gentoo.org/wiki/Tor#Portage People who value privacy or want to hide from their ISP/regime/hackers what OS/packages/versions they use can only install SRC_URI and not git-fetched packages. |
|
I looked for what archive links may be got by various ways. Example with version 27.6.2.
As for as i can understand, in all these cases github doesn't prepare archives, but generates them on demand. Though for release tags... i don't know, it could prepare them as well. As for as i can understand, these commit/tag-based urls should give same content, as git-checkout. I don't know, how really releases page is maintained - may be they mark certain tags as releases, or there is some format for tag names. |
|
In my understanding, there is another problem with using Git fetches: Suppose I realized that, for some version I installed, something did not go as expected (say, something like this here: #81). Also, suppose that this "something" has its root deeply buried into some incompatibility (or whatever else) introduced in the latest Git commits. I do see two directories with current dates in portage's DISTDIR/git3-src/: I decide to revert to an older version, for which I know the problem did not occur. But since the ebuilds always fetches the current version of Pale-Moon.git and UXP.git (i.e. since the directories do not contain commit or version information in their names), I lose don't I? |
|
@sedimentation-fault No, it doesn't work like that. It doesn't matter what those directories contain at any given time. When you emerge an ebuild for a specific version, it always checkouts and builds the specific version the ebuild specifies, so you don't have to worry on that front. |
Hi, and thanks a lot for great PaleMoon ebuilds. I use them all the
time, and are very happy, except one small detail - use of git
fetching to get the sources. I always have to modify the ebuild to
change to the standard portage fetch.
Here are some reasons why standard fetch (using SRC_URI) is better
than git-r3_fetch:
Most reasons stem from this super-reason:
Package manager (e.g. Portage) will check the hashes of all
downloads. This does not happen for git fetches.
Hashing prevents corruption of data.
The biggest win of hashing is security. It's important all users and
devs build the package from the same source. Otherwise some user under
attack can fetch sources modified to contain malware, and this will
never be detected.
Another win is quality assurrance. It's imperative that everybody,
e.g. the testers of unstable version, and later users after
stabilization, all use exactly same sources. With version control,
people can do changes and re-release under same tag/version. This of
course shound be forbidden, but I have seen this happen. Hashing
simply prevents this.
I also believe the size of a tarball release is smaller than git clone.
Also git fetches screw up the whole mirroring system. Mirrors are
great for many things, but only work with standard SRC_URI fetches.
Also SRC_URI is better because then emerge -a correctly calculates and
informs the user of the download size.
SRC_URI also is great when multiple emerge is done for same source
(such as when experimenting with what flags to enable, what
optimizations, which gcc version, etc). I think git fetches refetch
all data on each merge?
Using SRC_URI allows the user to resume an abrupted fetch, because
partial file resides in DISTDIR. I don't think the same happens for
git fetches, it could in principle, but if the fetch is into
PORTAGE_TMPDIR, then this is usually cleaned after unsuccesful merge.
SRC_URI = no need to emerge git. git is a dev tool, end users should
not need it just to install packages.
SRC_URI works well together with tools, such as distclean, to clean
disk space after package is uninstalled.
A tarball is also better due to legal woes - licensing is usually
clearer, as the whole file can be easily regarded as one coherent
release, while fetching a git repo is a bit more risky - some files
can have a different license, but of course this happens rarely.
SRC_URI also works together with FETCHCOMMAND. People with special
proxy/firewall/vpn needs can still get the source, not so for git
fetches.
In general, Gentoo doesn't want cvs/svn/git-fetch sources in the tree:
https://devmanual.gentoo.org/ebuild-writing/functions/src_unpack/svn-sources/index.html
So I hope changing palemoon ebuilds to SRC_URI can facilitate their
inclusion in the official Portage tree.
Here are changes needed for SRC_URI instead of git fetch:
< inherit palemoon-2 mozlinguas-palemoon git-r3 eutils flag-o-matic pax-utils
< EGIT_REPO_URI="https://github.com/MoonchildProductions/Pale-Moon.git"
< GIT_TAG="${PV}_Release"
< git-r3_fetch ${EGIT_REPO_URI} refs/tags/${GIT_TAG}
< git-r3_checkout
This website is not so good, it didn't allow me to upload a file... :-(
The text was updated successfully, but these errors were encountered: