Re: Is it possible to upload new sources of a package from a URL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El mar, 26-09-2017 a las 01:49 +0330, Hedayat Vatankhah escribió:
> /*Pierre-yves Chibon*/ wrote on Mon, 25 Sep 2017 09:38:39 +0200:
> > On Sun, Sep 24, 2017 at 10:56:45AM +0330, Hedayat Vatankhah wrote:
> > > Dear all,
> > > Currently, AFAIK, the suggested method to upload new sources for
> > > a package
> > > is using 'fedpkg new-sources' which uploads new sources from your
> > > local
> > > system. I wonder if there is a method to upload new sources from
> > > a URL
> > > rather than your local filesystem? It is specially useful for
> > > large
> > > packages.
> > 
> > It's an interesting idea but then it would become quite hard to
> > check if there
> > is a mitm attack of some sort. With the current process, at least
> > the packager
> > has the possibility to check the sources locally before uploading
> > them into
> > Fedora.
> > The solution would be to provide the sha + the url and let the down
> > be server
> > side but that won't save you from downloading the sources locally
> > first.
> 
> Yes, but even if I'm forced to download locally, it is much better
> than 
> being forced to upload it again. (Also, note that the current
> process 
> doesn't prevent MITM if it happens when I download the source).
> Also, it is easier to schedule the download for a time when it is 
> cheaper (or free), but it'd be harder to do it for an upload since
> it 
> requires authentication.
It does if you go to the effort to fully verify the sources. Which is a
task that you are supposed to do. We have always rulled out pulling
down the sources from random machines on the internet due to not being
able to validate that the sources are correct or as intended. 

> I wonder where I can fill an RFE for this feature. The current
> situation 
> is a blocker for people like me to maintain any package with large 
> source/data archives. I saw COPR supports a similar thing, and I
> hope 
> Fedora will support it too.
It would take a lot of effort to ensure that what we get is what is
intended and can be trusted. Today We rely on you as a packager
verifying the sources, and by uploading them directly you are saying
this is really what I intended to send you and I have ensured that it
is good.  You would need to work with release engineering and
infrastucture to come up with some way to sign off on the code being
used.

Given that many times the big tarballs actually only have a small
amount of change. using exploded sources or making the copy in dist-git 
being a mirror of the upstream SCM could work better. maybe we could
make a new namespace for the upstream code mirror. then we could make
tarballs from a given commit.

Dennis
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux