-
-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create self-describing bottles #17838
Comments
On the surface, this seems reasonable and useful from at least a mirroring point of view (as it's a bit tricky to mirror currently). However it is a bit more complicated. The data in the API allows many Homebrew commands to work offline and significantly faster, such as There's also a security element. We sign the API JSON so it cannot be tampered with by mirrors. No independent protection exists for manifests (it's covered by the bottle sha256s being included in the signed API JSON). I would like to lean on the manifests more overall, but only if it doesn't degrade the above. |
This is my main concern here, too. |
I'm not proposing getting rid of the API or its data, I am proposing that the exact same data should be stored alongside the bottle in the container registry.
OCI artifacts can be signed and verified in a similar way to how Homebrew signs the API JSON, Notary and cosign are both established standards for signing and verifying OCI artifacts. |
How would a client (e.g. Hops) know what formulae are available without using the API here?
TIL, thanks. I think that signing would be a hard requirement on our end for either this or #17837. It might be the best first step, here. |
JFYI: We don't do it at the OCI layer, but Homebrew does indeed use Sigstore (the stack under (Not sure if this is relevant to you; I just noticed the cosign reference 🙂) |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Verification
brew install wget
. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.Provide a detailed description of the proposed feature
Update the bottle artifacts pushed to the homebrew/core container registry so they are self-describing. Currently the bottle artifacts do not contain the formula's API metadata.
This can be accomplished by uploading the formula's API JSON data and referencing the blob as the bottle manifests' config.
What is the motivation for the feature?
Combined with #17837, this would allow bottles to be installed without the API.
Two sets of metadata exist for a bottle, the tab contained in an annotation and the API data. The tab is a subset of the necessary information and could contain conflicting information.
How will the feature be relevant to at least 90% of Homebrew users?
Faster install times without downloading the full formula index from the API.
What alternatives to the feature have been considered?
Not implementing the feature.
The text was updated successfully, but these errors were encountered: