New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BottleLoader: Use the formula stored in the bottle #3176

Merged
merged 6 commits into from Sep 29, 2017

Conversation

Projects
None yet
3 participants
@sjackman
Contributor

sjackman commented Sep 19, 2017

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew tests with your changes locally?

When installing a bottle from the local file system or on http, use the formula stored in the bottle.

Show outdated Hide outdated Library/Homebrew/formulary.rb Outdated
Show outdated Hide outdated Library/Homebrew/formulary.rb Outdated
Show outdated Hide outdated Library/Homebrew/formulary.rb Outdated
Show outdated Hide outdated Library/Homebrew/formulary.rb Outdated
@sjackman

This comment has been minimized.

Show comment
Hide comment
@sjackman

sjackman Sep 25, 2017

Contributor

I have a failed test to address. I'll get back to you with that later today.

  1) Formulary::factory returns a Formula when given a bottle
     Failure/Error: formula = subject.factory(bottle)
     
     BottleFormulaUnavailableError:
       This bottle does not contain the formula file:
         testball_bottle/0.1/.brew/testball_bottle.rb
Contributor

sjackman commented Sep 25, 2017

I have a failed test to address. I'll get back to you with that later today.

  1) Formulary::factory returns a Formula when given a bottle
     Failure/Error: formula = subject.factory(bottle)
     
     BottleFormulaUnavailableError:
       This bottle does not contain the formula file:
         testball_bottle/0.1/.brew/testball_bottle.rb
Bottle version mismatch
Bottle: #{bottle_file} (#{bottle_version})
Formula: #{formula.full_name} (#{formula_version})
This bottle does not contain the formula file:

This comment has been minimized.

@MikeMcQuaid

MikeMcQuaid Sep 25, 2017

Member

How about outputting the bottle file and expected formula path within it?

@MikeMcQuaid

MikeMcQuaid Sep 25, 2017

Member

How about outputting the bottle file and expected formula path within it?

This comment has been minimized.

@sjackman

sjackman Sep 25, 2017

Contributor

Done.

@sjackman

sjackman Sep 25, 2017

Contributor

Done.

@MikeMcQuaid

Looks good. Let me know when you've tested this thoroughly locally and will merge. Thanks!

@sjackman

This comment has been minimized.

Show comment
Hide comment
@sjackman

sjackman Sep 26, 2017

Contributor

I found one odd use case: brew install -s local_bottle.tar.gz failed when copying the formula to .brew/NAME.rb, because the formula is inside the bottle and not stored anywhere on disk. I've fixed this issue with the most recent commit, 46fa99c.

Contributor

sjackman commented Sep 26, 2017

I found one odd use case: brew install -s local_bottle.tar.gz failed when copying the formula to .brew/NAME.rb, because the formula is inside the bottle and not stored anywhere on disk. I've fixed this issue with the most recent commit, 46fa99c.

@sjackman

This comment has been minimized.

Show comment
Hide comment
@sjackman

sjackman Sep 26, 2017

Contributor

Do you think it would be useful to add a contents method to the Formula class, that returns the Ruby code of the formula?

Contributor

sjackman commented Sep 26, 2017

Do you think it would be useful to add a contents method to the Formula class, that returns the Ruby code of the formula?

@MikeMcQuaid

This comment has been minimized.

Show comment
Hide comment
@MikeMcQuaid

MikeMcQuaid Sep 26, 2017

Member

@sjackman If there's 3 or more locations it would be used: yep, otherwise: nope.

Member

MikeMcQuaid commented Sep 26, 2017

@sjackman If there's 3 or more locations it would be used: yep, otherwise: nope.

@ilovezfs

This comment has been minimized.

Show comment
Hide comment
@ilovezfs

ilovezfs Sep 26, 2017

Contributor

Masking the formula that is in the git repository in favor of one buried in a binary and, in particular, allowing that to override the checksum, seems like a security risk to me.

Contributor

ilovezfs commented Sep 26, 2017

Masking the formula that is in the git repository in favor of one buried in a binary and, in particular, allowing that to override the checksum, seems like a security risk to me.

@MikeMcQuaid

This comment has been minimized.

Show comment
Hide comment
@MikeMcQuaid

MikeMcQuaid Sep 26, 2017

Member

Masking the formula that is in the git repository in favor of one buried in a binary and, in particular, allowing that to override the checksum, seems like a security risk to me.

I think the checksum should be able to be set if it's unset if that's needed for internal code but it shouldn't be able to be overridden, I agree. I wonder if it's worth reading the version from the both formulae and using the one in Git if the version/revision/pkg_version match (as otherwise we are unlikely to have old bottles remain working after e.g. major post_install changes). Alternatively, the best middle ground might be only using the post_install from the bottled formula as that's the only bit that affects bottles at all.

Member

MikeMcQuaid commented Sep 26, 2017

Masking the formula that is in the git repository in favor of one buried in a binary and, in particular, allowing that to override the checksum, seems like a security risk to me.

I think the checksum should be able to be set if it's unset if that's needed for internal code but it shouldn't be able to be overridden, I agree. I wonder if it's worth reading the version from the both formulae and using the one in Git if the version/revision/pkg_version match (as otherwise we are unlikely to have old bottles remain working after e.g. major post_install changes). Alternatively, the best middle ground might be only using the post_install from the bottled formula as that's the only bit that affects bottles at all.

@ilovezfs

This comment has been minimized.

Show comment
Hide comment
@ilovezfs

ilovezfs Sep 26, 2017

Contributor

If we patch a critical CVE that would still let someone blithely brew install ./badversion since the versions wouldn't be the same.

Contributor

ilovezfs commented Sep 26, 2017

If we patch a critical CVE that would still let someone blithely brew install ./badversion since the versions wouldn't be the same.

@MikeMcQuaid

This comment has been minimized.

Show comment
Hide comment
@MikeMcQuaid

MikeMcQuaid Sep 26, 2017

Member

A thought: a warning should be output when loading a formula that exists in the tap from the tab at a newer version. If we’re aware an older version is being installed (which we can be): we should warn.

Member

MikeMcQuaid commented Sep 26, 2017

A thought: a warning should be output when loading a formula that exists in the tap from the tab at a newer version. If we’re aware an older version is being installed (which we can be): we should warn.

@sjackman

This comment has been minimized.

Show comment
Hide comment
@sjackman

sjackman Sep 26, 2017

Contributor

Sure. I can do that.

Contributor

sjackman commented Sep 26, 2017

Sure. I can do that.

@sjackman

This comment has been minimized.

Show comment
Hide comment
@sjackman

sjackman Sep 26, 2017

Contributor

My most recent commit displays a warning when downgrading a formula.

Contributor

sjackman commented Sep 26, 2017

My most recent commit displays a warning when downgrading a formula.

@sjackman

This comment has been minimized.

Show comment
Hide comment
@sjackman

sjackman Sep 27, 2017

Contributor

I think the checksum should be able to be set if it's unset if that's needed for internal code

Adding the sha256 to the bottle spec is no longer necessary thanks to fixing up the logic in pour_bottle? not to freak out when formula.bottle is nil. I've removed the line that sets the sha256 of the bottle.

Contributor

sjackman commented Sep 27, 2017

I think the checksum should be able to be set if it's unset if that's needed for internal code

Adding the sha256 to the bottle spec is no longer necessary thanks to fixing up the logic in pour_bottle? not to freak out when formula.bottle is nil. I've removed the line that sets the sha256 of the bottle.

@@ -6,7 +6,7 @@ def initialize(name = "testball_bottle", path = Pathname.new(__FILE__).expand_pa
stable.bottle do
cellar :any_skip_relocation
root_url "file://#{TEST_FIXTURE_DIR}/bottles"
sha256 "9abc8ce779067e26556002c4ca6b9427b9874d25f0cafa7028e05b5c5c410cb4" => Utils::Bottles.tag
sha256 "d48bbbe583dcfbfa608579724fc6f0328b3cd316935c6ea22f134610aaf2952f" => Utils::Bottles.tag

This comment has been minimized.

@MikeMcQuaid

MikeMcQuaid Sep 27, 2017

Member

Presumably: adding the formula?

@MikeMcQuaid

MikeMcQuaid Sep 27, 2017

Member

Presumably: adding the formula?

This comment has been minimized.

@sjackman

sjackman Sep 28, 2017

Contributor

Yep

@sjackman

sjackman Sep 28, 2017

Contributor

Yep

sjackman added some commits Sep 25, 2017

pour_bottle?: Fix when formula.bottle is nil
formula.bottle is nil when bottle.compatible_cellar? is false.
Use formula.bottle_specification.compatible_cellar? rather
than formula.bottle.compatible_cellar?.
Fix installing a local bottle from source
Factor Utils::Bottles.formula_contents out of BottleLoader.
FormulaInstaller: Warn when tap version is newer
Warn if a more recent version of this formula is available in the tap.
@MikeMcQuaid

This comment has been minimized.

Show comment
Hide comment
@MikeMcQuaid

MikeMcQuaid Sep 29, 2017

Member

Thanks again @sjackman!

Member

MikeMcQuaid commented Sep 29, 2017

Thanks again @sjackman!

@MikeMcQuaid MikeMcQuaid merged commit 296a441 into Homebrew:master Sep 29, 2017

3 checks passed

codecov/patch 91.66% of diff hit (target 67.08%)
Details
codecov/project 67.09% (+<.01%) compared to cb139ca
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@sjackman sjackman deleted the sjackman:bottle-formula branch Sep 29, 2017

@sjackman

This comment has been minimized.

Show comment
Hide comment
@sjackman

sjackman Sep 29, 2017

Contributor

Woo hoo! Thanks for merging, Mike!

Contributor

sjackman commented Sep 29, 2017

Woo hoo! Thanks for merging, Mike!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.