[Buildroot] [PATCH 1/1] package/pkg-download: add per package download fallback disable
Yann E. MORIN
yann.morin.1998 at free.fr
Sun Sep 11 07:47:34 UTC 2022
Justin, All,
On 2022-09-08 11:23 -0400, jwood+buildroot at starry.com spake thusly:
> From: Justin Wood <jwood+buildroot at starry.com>
>
> This is useful in cases where a package is added without hashes (e.g. private packages)
> and you do not want to risk MITM attacks of the package itself. While still allowing
> download of packages that are third party with hashes, from unreliable upstreams.
>
> This adds a new ${PKG}_DISABLE_FALLBACK_DOWNLOAD that is checked when DOWNLOAD would be
> called to not include URIs from the backup site.
I think the best solution in such a case, is to actually add hashes for
internal packages anyway, because that allows one to ensure the
reproducibility of a build (e.g. if the package comes from git, it will
detect when/if a tag has been moved).
Additionally, I think internal setups should:
- not use a backup site at all, i.e. BR2_BACKUP_SITE=""
- use an internal primary mirror that points to an internal machine,
e.g. BR2_PRIMARY_SITE="https://internal.my-company/storage/buildroot/"
and manually fill it with the sources needed by the project, like in
running:
$ make my_board_defconfig
$ BR2_DL_DIR=$(pwd)/dl make source
$ scp -r dl user at internal.my-company/storage/buildroot/
If something a bit more fancy is needed, then one can use a bit of
scripting around the output of "make show-info" to only handle URIs
of interest.
- block downloads from the internet to avoid unexpectedly downloading
data that has not been vetoed yet, e.g. build in a container that
does not have routes to go outside company network, or has firewall
rules to DROP packets going outside.
This, too ensures that a build is reproducible, as all the sources are
on company servers and thus there is no log-term reliance on an external
entity that may remove/change sources arbitrarily; this is not
hypothetical at all, that already happened (hence one of the reasons for
the hashes we have to begin with).
I.e. I think this type of behaviour is best served by the environment
and the setup, rather than by adding new features in Buildroot.
Regards,
Yann E. MORIN.
> Additionally we use the new backup URIs if the new variable is unset in the json data
> URI list to ensure consistency for consumers who do not use this feature.
>
> Signed-off-by: Justin Wood <jwood at starry.com>
> ---
> package/pkg-download.mk | 9 +++++++--
> package/pkg-utils.mk | 5 +++++
> 2 files changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/package/pkg-download.mk b/package/pkg-download.mk
> index 0718f21aad..af5855230c 100644
> --- a/package/pkg-download.mk
> +++ b/package/pkg-download.mk
> @@ -74,8 +74,12 @@ export BR_NO_CHECK_HASH_FOR =
> # DOWNLOAD_URIS - List the candidates URIs where to get the package from:
> # 1) BR2_PRIMARY_SITE if enabled
> # 2) Download site, unless BR2_PRIMARY_SITE_ONLY is set
> -# 3) BR2_BACKUP_SITE if enabled, unless BR2_PRIMARY_SITE_ONLY is set
> #
> +# BACKUP_DOWNLOAD_URIS - List the backup candidate URIs where to get packages from:
> +# 1) BR2_BACKUP_SITE if enabled, unless BR2_PRIMARY_SITE_ONLY is set
> +# and unless ${PKG}_DISABLE_DOWNLOAD_FALLBACK is set
> +#
> +# In both vars above:
> # Argument 1 is the source location
> # Argument 2 is the upper-case package name
> #
> @@ -91,7 +95,7 @@ ifeq ($(BR2_PRIMARY_SITE_ONLY),)
> DOWNLOAD_URIS += \
> $(patsubst %/,%,$(dir $(call qstrip,$(1))))
> ifneq ($(call qstrip,$(BR2_BACKUP_SITE)),)
> -DOWNLOAD_URIS += \
> +BACKUP_DOWNLOAD_URIS += \
> $(call getschemeplusuri,$(call qstrip,$(BR2_BACKUP_SITE)/$($(2)_DL_SUBDIR)),urlencode) \
> $(call getschemeplusuri,$(call qstrip,$(BR2_BACKUP_SITE)),urlencode)
> endif
> @@ -122,6 +126,7 @@ define DOWNLOAD
> $(if $($(2)_GIT_SUBMODULES),-r) \
> $(if $($(2)_GIT_LFS),-l) \
> $(foreach uri,$(call DOWNLOAD_URIS,$(1),$(2)),-u $(uri)) \
> + $(if( $($(PKG)_DISABLE_DOWNLOAD_FALLBACK),,$(foreach uri,$(call BACKUP_DOWNLOAD_URIS,$(1),$(2)),-u $(uri))) \
> $(3) \
> $(QUIET) \
> -- \
> diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
> index 6ece27baa2..a279a41df8 100644
> --- a/package/pkg-utils.mk
> +++ b/package/pkg-utils.mk
> @@ -167,6 +167,11 @@ define _json-info-pkg-details
> $(foreach uri,$(call DOWNLOAD_URIS,$(dl),$(1)), \
> $(call mk-json-str,$(subst \|,|,$(uri))) \
> ) \
> + $(if $($(PKG)_DISABLE_DOWNLOAD_FALLBACK),,\
> + $(foreach uri,$(call BACKUP_DOWNLOAD_URIS,$(dl),$(1)), \
> + $(call mk-json-str,$(subst \|,|,$(uri))) \
> + ) \
> + ) \
> )
> ]
> },
> --
> 2.37.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list