| 1 |
On Mon, Oct 30, 2017 at 05:51:36PM +0100, Michał Górny wrote: |
| 2 |
... |
| 3 |
> Directory tree coverage |
| 4 |
> ----------------------- |
| 5 |
This section should maybe cover OPTIONAL in more detail (see more |
| 6 |
below). |
| 7 |
|
| 8 |
> The Manifest files can also specify ``IGNORE`` entries to skip Manifest |
| 9 |
> verification of subdirectories and/or files. The package manager can |
| 10 |
> support injecting ignore paths to account for additional files created, |
| 11 |
> modified or removed by user's processes that would not be ignored |
| 12 |
> by existing rules. Files and directories starting with a dot are always |
| 13 |
> implicitly ignored. All files that are not ignored must be covered |
| 14 |
> by at least one of the Manifests. |
| 15 |
(English) There are multiple points in this paragraph, and I missed on first |
| 16 |
reading. The package manager part is esp. lost. |
| 17 |
|| All files that are not ignored must be covered by at least one of the |
| 18 |
|| Manifests. Files may be ignored by several ways: |
| 19 |
|| - Files and directories starting with a dot are always implicitly |
| 20 |
|| ignored. |
| 21 |
|| - The Manifest files can specify ``IGNORE`` entries to skip |
| 22 |
|| verification of ubdirectories and/or files. |
| 23 |
|| - The package manager can support injecting ignore paths to account for |
| 24 |
|| additional files created modified or removed by user's processes that |
| 25 |
|| would not be ignored by existing rules. |
| 26 |
|
| 27 |
> File verification |
| 28 |
> ----------------- |
| 29 |
> When verifying a file against the Manifest, the following rules are |
| 30 |
> used: |
| 31 |
... |
| 32 |
> 3. If the file is covered by an entry of the ``OPTIONAL`` type: |
| 33 |
> a. if the file is present, then the verification fails, |
| 34 |
> b. otherwise, the verification succeeds. |
| 35 |
Move the OPTIONAL type further up in the verification list maybe? See |
| 36 |
the interpretation question below. |
| 37 |
|
| 38 |
|
| 39 |
> Modern Manifest tags |
| 40 |
> -------------------- |
| 41 |
... |
| 42 |
> ``IGNORE <path>`` |
| 43 |
> Ignores a subdirectory or file from Manifest checks. If the specified |
| 44 |
> path is present, it and its contents are omitted from the Manifest |
| 45 |
> verification (always pass). |
| 46 |
Clarification Needed: |
| 47 |
Should subdirectories have a trailing slash in the Manifest or not? |
| 48 |
This affects matching of the type. |
| 49 |
Case 1.1: |
| 50 |
Manifest has 'IGNORE foo'; 'foo' is a file; => ignored. |
| 51 |
Case 1.2: |
| 52 |
Manifest has 'IGNORE foo'; 'foo' is a directory; => ignored. |
| 53 |
Case 2.1: |
| 54 |
Manifest has 'IGNORE foo/'; 'foo' is a file; => FAIL |
| 55 |
Case 2.2: |
| 56 |
Manifest has 'IGNORE foo/'; 'foo' is a directory; => ignored. |
| 57 |
|
| 58 |
|
| 59 |
> ``OPTIONAL <path>`` |
| 60 |
> Specifies a file that does not exist in the distribution but if it |
| 61 |
> did, it would be marked as ``MISC``. In the strict mode, the file |
| 62 |
> must not exist for the verification to pass. The package manager |
| 63 |
> may ignore a stray file matching this entry if operating in non-strict |
| 64 |
> mode. |
| 65 |
This has gotten less clear. |
| 66 |
Is the following correct interpretation? |
| 67 |
if(package manager is strict) then |
| 68 |
Treat the OPTIONAL entry as NOT present in the Manifest. |
| 69 |
This will cause files to be in the present set but not the covered set. |
| 70 |
else |
| 71 |
Treat the OPTIONAL entry as 'IGNORE <path>' |
| 72 |
endif |
| 73 |
|
| 74 |
> ``DIST <filename> <size> <checksums>…`` |
| 75 |
> Specifies a distfile entry used to verify files fetched as part |
| 76 |
> of ``SRC_URI``. The filename must match the filename used to store |
| 77 |
> the fetched file as specified in the PMS [#PMS-FETCH]_. The package |
| 78 |
> manager must reject the fetched file if it fails verification. |
| 79 |
> ``DIST`` entries apply to all packages below the Manifest file |
| 80 |
> specifying them. |
| 81 |
Nit: You have used a unicode ellipsis '…' in some places and plain ASCII |
| 82 |
ellipsis '...' in others. Stick to ASCII? |
| 83 |
|
| 84 |
|
| 85 |
> An example Manifest file (informational) |
| 86 |
> ---------------------------------------- |
| 87 |
Can you add an example for OPTIONAL? |
| 88 |
|
| 89 |
> Tree layout restrictions |
| 90 |
> ------------------------ |
| 91 |
> The Gentoo repository does not use symbolic links. Some Gentoo |
| 92 |
> repositories do, however. To provide a simple solution for dealing with |
| 93 |
> symlinks without having to take care to implement special handling for |
| 94 |
> them, the common behavior of implicitly resolving them is used. |
| 95 |
> Therefore, symbolic links to files are stored as if they were regular |
| 96 |
> files, and symbolic links to directories are followed as if they were |
| 97 |
> regular directories. |
| 98 |
Clarification: should cross-device symlinks be rejected? (perhaps |
| 99 |
implicit, but wanted to check) |
| 100 |
If so, need to add to 'Algorithm for full-tree verification' section. |
| 101 |
|
| 102 |
> Dotfiles are implicitly ignored as that is a common notion used |
| 103 |
> in software written for POSIX systems. All other filenames require |
| 104 |
> explicit ``IGNORE`` lines. |
| 105 |
This paragraph should re-iterate that the package manager may specify |
| 106 |
additional files to be ignored per the user. |
| 107 |
|
| 108 |
> The algorithm is restricted to work on a single filesystem. This is |
| 109 |
> mostly relevant when scanning for top-level Manifest — we do not want |
| 110 |
> to cross filesystem boundaries then. However, to ensure consistent |
| 111 |
> bidirectional behavior we need to also ban them when operating downwards |
| 112 |
> the tree. |
| 113 |
> |
| 114 |
> The directories and files on different filesystems needs to be ignored |
| 115 |
> explicitly as implicitly skipping them would cause confusion. |
| 116 |
> In particular, tools might then claim that a file does not exist when |
| 117 |
> it clearly does because it was skipped due to filesystem boundaries. |
| 118 |
The downward path needs to check the device on files. |
| 119 |
Otherwise: |
| 120 |
cat/pn/Manifest |
| 121 |
cat/pn/files/ <-- different filesystem here |
| 122 |
|
| 123 |
> Non-obligatory Manifest verification |
| 124 |
> ------------------------------------ |
| 125 |
... |
| 126 |
> The traditional ``MISC`` type is amended with a complementary |
| 127 |
> ``OPTIONAL`` tag to account for files that are not provided |
| 128 |
> in the specific repository. It aims to ensure that the same path would |
| 129 |
> be non-fatal when provided by the repository but fatal when created |
| 130 |
> by the user tooling. |
| 131 |
Clarify the last sentence to be for strict mode only? |
| 132 |
|
| 133 |
> Splitting distfile checksums from file checksums |
| 134 |
> ------------------------------------------------ |
| 135 |
> |
| 136 |
> Another problem with the current Manifest format is that the checksums |
| 137 |
> for fetched files are combined with checksums for local files |
| 138 |
> in a single file inside the package directory. It has been specifically |
| 139 |
> pointed out that: |
| 140 |
> |
| 141 |
> - since distfiles are sometimes reused across different packages, |
| 142 |
> the repeating checksums are redundant, |
| 143 |
> |
| 144 |
> - mirror admins were interested in the possibility of verifying all |
| 145 |
> the distfiles with a single tool. |
| 146 |
> |
| 147 |
> This specification does not provide a clean solution to this problem. |
| 148 |
> It technically permits moving ``DIST`` entries to higher-level Manifests |
| 149 |
> but the usefulness of such a solution is doubtful. |
| 150 |
Clarification of validity: |
| 151 |
If cat/pn1 and cat/pn2 share 1000 DIST files; would it be valid to |
| 152 |
have: the following: |
| 153 |
cat/pn1/Manifest:MANIFEST ../Manifest.some-shared-name 1234 ... |
| 154 |
cat/pn1/Manifest:DIST unique-pn1-dist.tgz 1234 ... |
| 155 |
cat/pn2/Manifest:MANIFEST ../Manifest.some-shared-name 1234 ... |
| 156 |
cat/pn2/Manifest:DIST unique-pn2-dist.tgz 1234 ... |
| 157 |
|
| 158 |
> Performance considerations |
| 159 |
> -------------------------- |
| 160 |
... |
| 161 |
> To improve speed on I/O and/or CPU-restrained systems even further, |
| 162 |
> the algorithms can be easily extended to perform incremental |
| 163 |
> verification. Given that rsync does not preserve mtimes by default, |
| 164 |
> the tool can take advantage of mtime and Manifest comparisons to recheck |
| 165 |
> only the parts of the repository that have changed. |
| 166 |
Implementation note, not for GLEP addition: |
| 167 |
If the package manager caches by filename,inode,mtime locally, it can |
| 168 |
then avoid repeat-checking of the hashes (it only needs a stat), |
| 169 |
provided that it is happy there was no local attacker who might perform |
| 170 |
an in-place modification of a file (mtime&inode remain the same). |
| 171 |
|
| 172 |
> |
| 173 |
> Furthermore, the package manager implementations can restrict checking |
| 174 |
> only to the parts of the repository that are actually being used. |
| 175 |
> |
| 176 |
> |
| 177 |
> Backwards Compatibility |
| 178 |
> ======================= |
| 179 |
> |
| 180 |
> This GLEP provides optional means of preserving backwards compatibility. |
| 181 |
> To preserve the backwards compatibility, the following needs to be |
| 182 |
> ensured: |
| 183 |
"package directory" is common to all of the items here, if you move that |
| 184 |
to the list preamble, it's a lot cleaner to read. |
| 185 |
|| To preserve the backwards compatibility, the following needs to be |
| 186 |
|| ensured about package directories: |
| 187 |
And cleanup the list: |
| 188 |
s/in(side)? (that|the) package directory// |
| 189 |
s/of a package directory// |
| 190 |
|
| 191 |
-- |
| 192 |
Robin Hugh Johnson |
| 193 |
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer |
| 194 |
E-Mail : robbat2@g.o |
| 195 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 196 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives