lib/pull: Default checksum for archive mirror, add TRUSTED_HTTP flag #1212
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jlebon
reviewed
Sep 26, 2017
src/ostree/ot-builtin-pull.c
Outdated
| @@ -57,6 +58,7 @@ static GOptionEntry options[] = { | |||
| { "mirror", 0, 0, G_OPTION_ARG_NONE, &opt_mirror, "Write refs suitable for a mirror and fetches all refs if none provided", NULL }, | |||
| { "subpath", 0, 0, G_OPTION_ARG_FILENAME_ARRAY, &opt_subpaths, "Only pull the provided subpath(s)", NULL }, | |||
| { "untrusted", 0, 0, G_OPTION_ARG_NONE, &opt_untrusted, "Do not verify checksums of local sources (always enabled for HTTP pulls)", NULL }, | |||
There was a problem hiding this comment.
The symmetry between the two options made me realize the description for this is wrong. It should be "Do verify...".
There was a problem hiding this comment.
Ooh yes, good catch! Rebased 🏄 and added a prep commit for this ⬇️
It means *do* verify for local.
Make the "local repo" processing conditional the same as the "localcache" bits; this is really just a de-indent. Also add some comments. Prep for further work.
Rather than carrying two booleans, just convert `OstreeRepoPullFlags` into `OstreeRepoImportFlags`. This allows us to drop an internal wrapper function and just directly call `_ostree_repo_import_object()`. This though reveals that our mirroring import path doesn't check the `OSTREE_REPO_PULL_FLAGS_UNTRUSTED` flag...it probably should. Prep for further work.
I now think commit fab1e11 was a mistake; because it breaks the mental model that at least I'd built up that "local repos don't have checksums verified, HTTP does". For example, a problem with this is (with that mental model in place) it's easy for people who set up mirrors like this to then do local pulls, and at that point we've done a deployment with no checksum verification. Further, since then we did PR ostreedev#671 AKA commit 3d38f03 which is really most of the speed hit. So let's switch the default even for this case to doing checksum verification, and add `ostree pull --http-trusted`. People who are in situations where they know they want this can find it and turn it on. Closes: ostreedev#1211
cgwalters
force-pushed
the
pull-http-mirror-verify-default
branch
from
3176289 to
f9b26ef
Compare
rh-atomic-bot
pushed a commit
that referenced
this pull request
Sep 26, 2017
Make the "local repo" processing conditional the same as the "localcache" bits; this is really just a de-indent. Also add some comments. Prep for further work. Closes: #1212 Approved by: jlebon
rh-atomic-bot
pushed a commit
that referenced
this pull request
Sep 26, 2017
Rather than carrying two booleans, just convert `OstreeRepoPullFlags` into `OstreeRepoImportFlags`. This allows us to drop an internal wrapper function and just directly call `_ostree_repo_import_object()`. This though reveals that our mirroring import path doesn't check the `OSTREE_REPO_PULL_FLAGS_UNTRUSTED` flag...it probably should. Prep for further work. Closes: #1212 Approved by: jlebon
rh-atomic-bot
pushed a commit
that referenced
this pull request
Sep 26, 2017
I now think commit fab1e11 was a mistake; because it breaks the mental model that at least I'd built up that "local repos don't have checksums verified, HTTP does". For example, a problem with this is (with that mental model in place) it's easy for people who set up mirrors like this to then do local pulls, and at that point we've done a deployment with no checksum verification. Further, since then we did PR #671 AKA commit 3d38f03 which is really most of the speed hit. So let's switch the default even for this case to doing checksum verification, and add `ostree pull --http-trusted`. People who are in situations where they know they want this can find it and turn it on. Closes: #1211 Closes: #1212 Approved by: jlebon
|
☀️ Test successful - status-atomicjenkins |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I now think commit fab1e11 was a mistake;
because it breaks the mental model that at least I'd built up that "local repos
don't have checksums verified, HTTP does".
For example, a problem with this is (with that mental model in place) it's easy
for people who set up mirrors like this to then do local pulls, and at that
point we've done a deployment with no checksum verification.
Further, since then we did PR #671 AKA commit 3d38f03 which is really most of
the speed hit.
So let's switch the default even for this case to doing checksum verification,
and add
ostree pull --http-trusted. People who are in situations where theyknow they want this can find it and turn it on.
Closes: #1211