cmd-{fetch,build}: strip out digests from lockfiles #854
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The digest fields in lockfiles have been more trouble than they're worth so far. The major problem is signing: adding a signature to an RPM of course changes its digest. There are two main issues. The first is that when adding an override, there's no way to know the digest ahead of time since the package isn't signed yet. It becomes signed when the override is accepted and tagged into the pool. The second is that the same package NEVRA may be present in different repos and signed with different keys, resulting in different hashes, even if the payload is the same (for more details on this case, see coreos/rpm-ostree#1927). One could add repo origin information as part of the lockfile, but that does not correspond to what we actually do in FCOS, since packages initially come from Bodhi, and are then imported into the pool (and even then, there's no guarantee that the package isn't already there with a different signature). A possible solution is to instead use the CPIO payload digest, but that information is not part of the repo metadata, so it'd require some work for rpm-ostree to download the packages and select the right one. Not especially hard, but definitely non-trivial. In practice, we don't really need digests in the lockfile. For repos which don't use GPG checking, it could provide some security benefits. Though in our case, GPG verification is turned on for all the repos anyway. But more importantly, all our data comes from Koji, which forbids buildings two packages with the same NEVRA. We could fold this into rpm-ostree under a new flag, though I think its current behaviour makes sense overall. It just doesn't work well for us.
|
This is blocking the FCOS move to f31. Open for discussions though if you have some other ideas! |
|
@jlebon - any reason not to merge? |
Nah, just wanted to give time for anyone else to chime in. OK, let's do this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The digest fields in lockfiles have been more trouble than they're worth
so far. The major problem is signing: adding a signature to an RPM of
course changes its digest.
There are two main issues. The first is that when adding an override,
there's no way to know the digest ahead of time since the package isn't
signed yet. It becomes signed when the override is accepted and tagged
into the pool.
The second is that the same package NEVRA may be present in different
repos and signed with different keys, resulting in different hashes,
even if the payload is the same (for more details on this case, see
coreos/rpm-ostree#1927).
One could add repo origin information as part of the lockfile, but that
does not correspond to what we actually do in FCOS, since packages
initially come from Bodhi, and are then imported into the pool (and even
then, there's no guarantee that the package isn't already there with a
different signature).
A possible solution is to instead use the CPIO payload digest, but that
information is not part of the repo metadata, so it'd require some work
for rpm-ostree to download the packages and select the right one. Not
especially hard, but definitely non-trivial.
In practice, we don't really need digests in the lockfile. For repos
which don't use GPG checking, it could provide some security benefits.
Though in our case, GPG verification is turned on for all the repos
anyway. But more importantly, all our data comes from Koji, which
forbids buildings two packages with the same NEVRA.
We could fold this into rpm-ostree under a new flag, though I think its
current behaviour makes sense overall. It just doesn't work well for us.