Package manifest checksum TOFU #6322
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@swift-ci please smoke test |
yim-lee
commented
Mar 24, 2023
| { result in queue.async { closure(result) } } | ||
| } | ||
| } | ||
|
|
||
| private enum StorageModel { | ||
| struct Container: Codable { | ||
| let versionFingerprints: [String: [String: StoredFingerprint]] | ||
| // version -> fingerprint kind -> fingerprint content type | ||
| let versionFingerprints: [String: [String: [String: StoredFingerprint.V2]]] |
There was a problem hiding this comment.
Note the storage model changes
| ) { | ||
| let contentType = Fingerprint.ContentType.manifest(toolsVersion) | ||
|
|
||
| self.readFromStorage( |
There was a problem hiding this comment.
Unlike source archives, registry doesn't provide expected checksum for manifests, so here we do true TOFU I suppose, and that is if checksum not found in storage we save it (whereas for source archive we have registry as an other source).
| @@ -67,7 +68,8 @@ public final class RegistryClient: Cancellable { | |||
| authorizationProvider: AuthorizationProvider? = .none, | |||
| customHTTPClient: LegacyHTTPClient? = .none, | |||
| customArchiverProvider: ((FileSystem) -> Archiver)? = .none, | |||
| delegate: Delegate? | |||
| delegate: Delegate?, | |||
| checksumAlgorithm: HashAlgorithm | |||
There was a problem hiding this comment.
This moves passing of checksumAlgorithm from downloadSourceArchive to "global"
tomerd
approved these changes
Mar 27, 2023
tomerd
reviewed
Mar 27, 2023
neonichu
approved these changes
Mar 28, 2023
Motivation: SwiftPM should do checksum TOFU for package manifests. Modifications: - Modify fingerprint storage structure to store fingerprint by content type - Modfiy fingerprint storage API to allow retrieving fingerprints by content type - Add API to `ChecksumTOFU` for manifests - Wire up manifest TOFU in `RegistryClient`
|
@swift-ci please smoke test |
|
@swift-ci please test Windows platform |
tomerd
approved these changes
Mar 28, 2023
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Mar 28, 2023
* Package manifest checksum TOFU Motivation: SwiftPM should do checksum TOFU for package manifests. Modifications: - Modify fingerprint storage structure to store fingerprint by content type - Modfiy fingerprint storage API to allow retrieving fingerprints by content type - Add API to `ChecksumTOFU` for manifests - Wire up manifest TOFU in `RegistryClient` * address review feedback
yim-lee
added a commit
that referenced
this pull request
Mar 29, 2023
* Package manifest checksum TOFU Motivation: SwiftPM should do checksum TOFU for package manifests. Modifications: - Modify fingerprint storage structure to store fingerprint by content type - Modfiy fingerprint storage API to allow retrieving fingerprints by content type - Add API to `ChecksumTOFU` for manifests - Wire up manifest TOFU in `RegistryClient` * address review feedback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
Currently fingerprints are for source archive (checksum from registry) and source repo (git hash from SCM) only. Additional content types need to be supported if SwiftPM were to do TOFU for manifest files too.
Modifications: