HTTP selfupdate #184
Open
HTTP selfupdate #184
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We did define those, but in the places where they could have been used, the @variable@ syntax was used instead, so we can just drop those.
neverpanic
force-pushed
the
cal-http-selfupdate
branch
from
fb37b9a
to
6b1bb2c
Compare
signify(1) is a tool originally developed for OpenBSD that uses modern EdDSA signatures on the ed25519 elliptic curve. Bundling this tool gives us a good way forward away from our single RSA 4096 public key that has now been in use since 2011 for all packages, all base updates and all ports trees. Shipping signify allows us to use (a) modern cryptography, (b) avoid using the same key for everything and (c) eventually phase out the RSA-RIPEMD160 signatures. The vendor/signify-osx directory is a clone of https://github.com/jpouellet/signify-osx/, udpated with the latest OpenBSD upstream signify source code from CVS using the 'make up' target of the signify-osx Makefile.
Add a new public key for use with signify(1) to verify downloaded MacPorts base relases. Adjust the Makefile to install this key in $prefix/share/macports/keys/base, so that we have a designated space for additional keys (enabling future key roll-over) and separate keys, for example for a ports tree signature.
We should not hardcode the location of the keys directory or the signify binary in any source code files, so add a autoconf variable that can be used instead.
This list of options was hard to read, hard to maintain, hard to keep sorted, and hard to diff in its current form. Move every option name to a line of its own and sort to simplify this in the future.
Currently, all of our configuration file options hold a single value only, and while we could space-separate them, this quickly gets messy due to the lack of line continuation support. Introduce a new type of configuration option than can be specified multiple times in one configuration file and appends the new value to a list, instead of overwriting the old value. Note that this append functionality happens per configuration file, to enable overwriting the defaults specified in one configuration file in the next one, rather than only appending.
To support updating MacPorts base via HTTP and avoiding the rsync download (which we currently do not distribute over multiple mirrors automatically), introduce two new multi-value configuration options release_version_url and release_url, where the former is a list of URLs to check for the current MacPorts release version, and the latter is a list of template URLs where to download the source code for a given MacPorts version. See: https://trac.macports.org/ticket/60608
Refactor the selfupdate package into smaller functions and switch to
a control flow of:
1. checking for newer versions by downloading a single URL
2. downloading the new version using HTTP when available
3. verifying the signature using EdDSA with ed25519 elliptic curve
crypto with the help of OpenBSD's signify(1)
4. automatically re-executing selfupdate for the sync step with the new
base version when base was updated
This allows us to automatically fall back to other mirrors should our
main mirror not be available. We did not have this functionality
available for our previous rsync-based mechanism.
Additionally, the use of our standard curl wrapper enables displaying
a progress bar for the download and automatically uses any proxies that
might already be configured for HTTP.
Since we currently do not have a standard mechanism to sign the source
code tarballs uploaded to our distfiles server and github releases page
(we only sign the tarball pushed to rsync), I've taken the liberty to
introduce a new modern signature scheme for this channel – if we have to
touch this anyway, we might as well use modern tools and algorithms.
Previously, we would instruct users to re-run selfupdate manually when
MacPorts base was updated, because Portfiles might already require the
new base version to index correctly. This step has now been automated
using an idea that lives on the migration branch, where the port.tcl
client automatically re-executes itself in this situation.
This patch also adds support for a list of mirrors specified in the
ports tree at _resources/port1.0/fetch/base_mirror_sites.list, so that
we can add and remove mirrors without releasing a new version of
MacPorts base. Base itself comes preconfigured with the GitHub releases
URL if this list is not available.
See: https://trac.macports.org/ticket/60608
Those options were used for rsync-based selfupdate, but this is no longer required since MacPorts now uses HTTP to update itself. See: https://trac.macports.org/ticket/60608
neverpanic
force-pushed
the
cal-http-selfupdate
branch
from
6b1bb2c
to
4fdcf6f
Compare
jmroot
reviewed
Oct 19, 2020
There was a problem hiding this comment.
This all looks pretty reasonable for the most part. Two issues are:
- The scope of this PR is quite large, covering multiple features: switching selfupdate from rsync to HTTPS, adding signify and using it for signature verification, and re-executing after updating base to continue with syncing the ports tree. Some of it can't be merged yet. It might be better to split it up so some can be merged sooner?
- The new selfupdate method is going to be very difficult to adequately test without doing an actual release. I think it would be safer to start by adding the HTTPS method but use rsync by default for the first release, so developers and interested users can try out HTTPS selfupdate under real world conditions, but everyone else doesn't break if there are bugs. Then for the next release, make HTTPS the default, then if all goes well, remove rsync in the next release.
| set macports::$option [string trim $val] | ||
| global macports::$option | ||
| } elseif {$option in $bootstrap_multivalue_options} { |
There was a problem hiding this comment.
I'm not terribly happy about having two different behaviours for options in the config file. Is it just to avoid long lines?
There was a problem hiding this comment.
Yes. Do you have a better suggestion on how to achieve this?
| @@ -0,0 +1 @@ | |||
| D | |||
There was a problem hiding this comment.
Might want to add the CVS stuff to .gitignore.
neverpanic
commented
Oct 20, 2020
There was a problem hiding this comment.
We could merge everything up to and including "macports1.0: Sort and format list of options", and merge the rest later?
I like the idea of having this available selectively first, but I fear it would not really give us good test coverage unless we make it the default and fall back to rsync if it fails. I can take a look at implementing that, if you want?
| set macports::$option [string trim $val] | ||
| global macports::$option | ||
| } elseif {$option in $bootstrap_multivalue_options} { |
There was a problem hiding this comment.
Yes. Do you have a better suggestion on how to achieve this?
| @@ -0,0 +1 @@ | |||
| D | |||
Sounds good. Remember to add the .gitignore changes first.
That would be even better I guess. Probably still have a command-line option to make it use rsync, just in case. |
|
Can we revisit this? Would it be possible to test base + bundled signify using the buildbots? |
|
This needs spitting into smaller parts, and some refactoring to keep the rsync selfupdate as fallback. I haven't found the time to implement that yet, unfortunately. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: A few things still need to happen before this can be merged:
_resources/port1.0/fetch/base_mirror_sites.listI'm uploading this so you can have a look and see if you notice any issues with my approach. Note that this should be reviewed commit-by-commit – otherwise you'll get a huge patchset that's not simple to review.
Description
Refactor the selfupdate package into smaller functions and switch to a control flow of:
This allows us to automatically fall back to other mirrors should our main mirror not be available. We did not have this functionality available for our previous rsync-based mechanism.
Additionally, the use of our standard curl wrapper enables displaying a progress bar for the download and automatically uses any proxies that might already be configured for HTTP.
Since we currently do not have a standard mechanism to sign the source code tarballs uploaded to our distfiles server and github releases page (we only sign the tarball pushed to rsync), I've taken the liberty to introduce a new modern signature scheme for this channel – if we have to touch this anyway, we might as well use modern tools and algorithms.
Previously, we would instruct users to re-run selfupdate manually when MacPorts base was updated, because Portfiles might already require the new base version to index correctly. This step has now been automated using an idea that lives on the migration branch, where the port.tcl client automatically re-executes itself in this situation.
This patch also adds support for a list of mirrors specified in the ports tree at _resources/port1.0/fetch/base_mirror_sites.list, so that we can add and remove mirrors without releasing a new version of MacPorts base. Base itself comes preconfigured with the GitHub releases URL if this list is not available.
See: https://trac.macports.org/ticket/60608