Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arch packages implementation #31037

Open
wants to merge 41 commits into
base: main
Choose a base branch
from

Conversation

ExplodingDragon
Copy link
Contributor

@ExplodingDragon ExplodingDragon commented May 21, 2024

close #25037

This Commit was created by d1nch8g (#25396).

This PR adds a package registry for Arch Linux packages with support for package files, signatures, and automatic pacman-database management.

Features:

  1. Push any tar.zst package and Gitea sign it.
  2. Delete endpoint for specific package version and all related files
  3. Supports trust levels with SigLevel = Required.
  4. Package UI with instructions to connect to the new pacman database and visualised package metadata

You can follow this tutorial to build a *.pkg.tar.zst package for testing

docs pr: gitea/docs#47

Co-authored-by: d1nch8g@ion.lc
Co-authored-by: @KN4CK3R
Co-authored-by: @silverwind
Co-authored-by: @mahlzahn

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 21, 2024
@pull-request-size pull-request-size bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label May 21, 2024
@ExplodingDragon ExplodingDragon marked this pull request as draft May 21, 2024 07:23
@github-actions github-actions bot added modifies/translation modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files modifies/docs labels May 21, 2024
@github-actions github-actions bot added modifies/cli PR changes something on the CLI, i.e. gitea doctor or gitea admin modifies/migrations modifies/internal modifies/js modifies/dependencies labels May 21, 2024
@pull-request-size pull-request-size bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels May 21, 2024
@pull-request-size pull-request-size bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 21, 2024
@ExplodingDragon
Copy link
Contributor Author

ExplodingDragon commented May 21, 2024

TODO:

  • Package signatures should be managed by Gitea, custom signatures will result in inconsistencies with index signatures.
  • Signatures should not be saved under properties
  • Pacman DB should not be generated on-the-fly, it needs to be added when uploaded
  • We should not support overwrite uploads, which breaks the structure, and should perform a delete operation before uploading.
  • Fix documentation errors .

@ExplodingDragon ExplodingDragon marked this pull request as ready for review June 28, 2024 18:55
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 16, 2024
Copy link
Member

@KN4CK3R KN4CK3R left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking until I have time to have a look.

@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. labels Oct 16, 2024
@wxiaoguang
Copy link
Contributor

Blocking until I have time to have a look.

Do you have a estimated time? 1.23 is releasing soon?

@wxiaoguang
Copy link
Contributor

Made some changes:

  • Avoid using global variables (it slows down non-web commands).
  • Avoid bloating api.go, make the handlers process the requests.
  • Use unified PackageRegistryHost to avoid duplicate code.

Last call: if there is no other problem, I think this PR could be merged in a few days since it has enough tests.

@delvh
Copy link
Member

delvh commented Nov 7, 2024

@KN4CK3R did you have time to take a look at this PR?

Copy link
Member

@KN4CK3R KN4CK3R left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think this PR could be simpler just by following how the other package types are structured.

My implementation can still be found here: main...KN4CK3R:gitea:feature-arch

}

// ValidatePackageSpec Arch package validation according to PKGBUILD specification.
func ValidatePackageSpec(p *Package) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this detailed validation? If the spec changes we must keep this in sync. It is the responsibility of the client to check these when installing a package but for the registry it's less relevant.


// GetPackageFile Get data related to provided filename and distribution, for package files
// update download counter.
func GetPackageFile(ctx context.Context, group, file string, ownerID int64) (io.ReadSeekCloser, *url.URL, *packages_model.PackageFile, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use one of the existing methods in code.gitea.io/gitea/services/packages?

}

// Desc Create pacman package description file.
func (p *Package) Desc() string {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would move this code into the repository.go file to the other db related logic. Then it's not needed to have the MD5SUM and SHA256SUM fields because that info is already present.

return packages_service.GetPackageFileStream(ctx, pkgFile)
}

func GetPackageDBFile(ctx context.Context, group, arch string, ownerID int64, signFile bool) (io.ReadSeekCloser, *url.URL, *packages_model.PackageFile, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. I think this should be handled by the router.

defer tests.PrepareTestEnv(t)()
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
unpack := func(s string) []byte {
data, _ := base64.StdEncoding.DecodeString(strings.ReplaceAll(strings.ReplaceAll(strings.TrimSpace(s), "\n", ""), "\r", ""))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

}
rootURL := fmt.Sprintf("/api/packages/%s/arch", user.Name)

pkgs := map[string][]byte{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we need so many test packages it may be better to generate them on the fly.

Comment on lines +69 to +86
"zst": {
magic: []byte{0x28, 0xB5, 0x2F, 0xFD},
archiver: func() archiver.Reader {
return archiver.NewTarZstd()
},
},
"xz": {
magic: []byte{0xFD, 0x37, 0x7A, 0x58, 0x5A},
archiver: func() archiver.Reader {
return archiver.NewTarXz()
},
},
"gz": {
magic: []byte{0x1F, 0x8B},
archiver: func() archiver.Reader {
return archiver.NewTarGz()
},
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any other containers than zst in the wild? All repositories I have tested just contain zst.

Comment on lines +178 to +187
pathFields := strings.Split(strings.Trim(ctx.PathParam("*"), "/"), "/")
pathFieldsLen := len(pathFields)
if pathFieldsLen < 2 {
ctx.Status(http.StatusBadRequest)
return
}

group := strings.Join(pathFields[:pathFieldsLen-2], "/")
arch := pathFields[pathFieldsLen-2]
file := pathFields[pathFieldsLen-1]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not simply specify a clean route with parameters so you don't need to rebuild the logic here?

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 8, 2024

I still think this PR could be simpler just by following how the other package types are structured.

My implementation can still be found here: main...KN4CK3R:gitea:feature-arch

If we'd like to include it in 1.23, what's your suggestion to move on?

I think we have 3 choices:

  1. Merge this as-is and refactor it later
  2. You help to improve this PR and merge it
  3. Use your implementation in a new PR and close this one (some tests seems good to be added to your implementation)

Personally I think 1 could work. If you have time recently, 2 & 3 could also work.

What's your opinion?

@KN4CK3R
Copy link
Member

KN4CK3R commented Nov 8, 2024

Problem with option 1 is that the refactoring would most likely use different routes and perhaps different metadata (stored as json) which may require migrations. So it's 2 or 3 for me. @ExplodingDragon are you willing to make/accept changes?

@ExplodingDragon
Copy link
Contributor Author

@KN4CK3R

Are there any other containers than zst in the wild?

Yes, archlinuxarm uses xz.

use different routes and perhaps different metadata (stored as json)

The use of non-json storage is to avoid serialization when generating the db.

So it's 2 or 3 for me. @ExplodingDragon are you willing to make/accept changes?

I'm ok with both, 3 is better for me, I don't have much time to work on things, I'll close this pr later, other things are up to you to determine.

@ExplodingDragon
Copy link
Contributor Author

Thanks @wxiaoguang and @yp05327 , sorry.

@wxiaoguang
Copy link
Contributor

@KN4CK3R what's the next plan? Would you like to work on this PR, or propose a new one?

@lunny
Copy link
Member

lunny commented Nov 9, 2024

I think the main conflict is the router path, other codes could be refactored later. Maybe we can do a discussion about which change's routers are better?

@wxiaoguang
Copy link
Contributor

@KN4CK3R what's the next plan? Would you like to work on this PR, or propose a new one?

If no plan, then still merge this as-is?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files modifies/translation size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Arch linux packages
8 participants