Package fingerprint storage #3879
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yim-lee
requested review from
abertelrud,
elsh,
neonichu and
tomerd
as code owners
|
@swift-ci please smoke test |
tomerd
approved these changes
Nov 19, 2021
Tests/PackageFingerprintTests/FilePackageFingerprintStorageTests.swift
Outdated
Show resolved
Hide resolved
neonichu
approved these changes
Nov 29, 2021
tomerd
reviewed
Nov 29, 2021
tomerd
reviewed
Nov 29, 2021
|
|
||
| init(customFileSystem: FileSystem? = nil, customDirectory: AbsolutePath? = nil) { | ||
| self.fileSystem = customFileSystem ?? localFileSystem | ||
| self.directory = customDirectory ?? self.fileSystem.dotSwiftPM.appending(component: "fingerprints") |
There was a problem hiding this comment.
the default location can go into Workspace.Location / DefaultLocation which handles similar set ups
There was a problem hiding this comment.
Making both required so no need to have defaults here.
Motivation: Provide trust-on-first-use (TOFU) security model for package dependencies. SwiftPM will record locally the "fingerprint" of a package version when it is first downloaded and ensure the fingerprint remain the same in subsequent downloads. For package downloaded from registry, the fingerprint is the source archive checksum. For source control, it is the git revision. This PR only adds storage APIs for writing and reading package fingerprints and an implementation that uses local file system. The integration of fingerprint storage into the download workflow(s), i.e. TOFU implementation, will come in a separate PR. Modifications: - Add `PackageFingerprint` module. - Add `PackageFingerprintStorage` protocol that defines APIs for reading and writing fingerprints. - Add `FilePackageFingerprintStorage` which is an implementation based on file system.
yim-lee
force-pushed
the
fingerprint-storage
branch
from
cec0397 to
dc98e7f
Compare
|
@swift-ci please smoke test |
tomerd
approved these changes
Nov 30, 2021
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Nov 30, 2021
This is a continuation of swiftlang#3879. Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.
4 tasks
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Dec 1, 2021
This is a continuation of swiftlang#3879. Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Dec 1, 2021
Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Dec 2, 2021
Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Dec 2, 2021
Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Dec 3, 2021
Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Dec 9, 2021
Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.
yim-lee
added a commit
that referenced
this pull request
Dec 9, 2021
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Dec 9, 2021
Wire up fingerprint storage such that it is used for integrity checks of package downloads. Fingerprint must match previously recorded value (if any) or else it would result in an error.
yim-lee
added a commit
that referenced
this pull request
Dec 10, 2021
|
Sorry @compnerd, is there anything I need to do to help fix the Windows builds? |
|
Thanks @yim-lee. I'll rest to see if I can put up a change later (tomorrow likely). Is there any new target other than PackageFingerprint or any new dependencies? |
yim-lee
added a commit
to yim-lee/swift-package-manager
that referenced
this pull request
Dec 26, 2021
|
The problem is due to packaging, so there needs to be an associated change in apple/swift-installer-scripts to package up the additional DLL. Assuming that it is just SystemPackage and OrderedCollections that are used, I think that its just the single missing dll. |
compnerd
added a commit
to compnerd/swift-installer-scripts
that referenced
this pull request
Dec 26, 2021
This adds the new Swift Package Manager content from swiftlang/swift-package-manager#3879 to the installation manifest.
|
swiftlang/swift-installer-scripts#69 should be what is needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
Provide trust-on-first-use (TOFU) security model for package dependencies. SwiftPM will record locally the "fingerprint" of a package version when it is first downloaded and ensure the fingerprint remain the same in subsequent downloads.
For package downloaded from registry, the fingerprint is the source archive checksum. For source control, it is the git revision.
This PR only adds storage APIs for writing and reading package fingerprints and an implementation that uses local file system. The integration of fingerprint storage into the download workflow(s), i.e. TOFU implementation, will come in a separate PR.
Modifications:
PackageFingerprintmodule.PackageFingerprintStorageprotocol that defines APIs for reading and writing fingerprints.FilePackageFingerprintStoragewhich is an implementation based on file system.