add auto-update for the d-keyring #457
Conversation
|
Thanks for your pull request and interest in making D better, @AntonOks! We are looking forward to reviewing it, and you should be hearing from a maintainer soon.
Please see CONTRIBUTING.md for more information. If you have addressed all reviews or aren't sure how to proceed, don't hesitate to ping us with a simple comment. Bugzilla referencesYour PR doesn't reference any Bugzilla issue. If your PR contains non-trivial changes, please reference a Bugzilla issue or create a manual changelog. |
|
@wilzbach @MartinNowak Hi there. Seems like all checks are ok finally. Is there anything else needed or desired or are you also ok with this? thanks and regards |
|
3 weeks passed by... any feedback from anyone would be appreciated... |
thewilsonator
added
the
auto-merge-squash
| @@ -5,6 +5,8 @@ | |||
| # Authors: Martin Nowak | |||
| # Documentation: https://dlang.org/install.html | |||
|
|
|||
| # set -x | |||
There was a problem hiding this comment.
forgot this after "debugging", but then again, it is commented out and shouldn't harm, that's why I finally decided to not delete it again. anyhow, feel free to remove it...
| @@ -80,7 +82,7 @@ retry() { | |||
| for i in {0..4}; do | |||
| if "$@"; then | |||
| break | |||
| elif [ $i -lt 4 ]; then | |||
| elif [ "$i" -lt 4 ]; then | |||
There was a problem hiding this comment.
correct.
if I'm nor wrong, I had it like you suggest it now initially but "shellcheck" complained so I made it as it is... also here, feel free to change it to whatever fit's your standards / requirements...
| # check if tools where installed already and update d-keyring.gpg if necessary | ||
| local tmp | ||
| tmp=$(mkdtemp) | ||
| if [ -f "$ROOT/d-keyring.gpg" ] && [ "$(command curl https://dlang.org/d-keyring.gpg -z "$ROOT/d-keyring.gpg" -o "$tmp/d-keyring.gpg" -s -L -w "%{http_code}")" == "200" ] ; then |
There was a problem hiding this comment.
This is the real problem:
- This probably needs retry logic
- Probably needs the fallback mirrors
- Should verify the authenticity
- Shouldn't re-download the file(s) if they haven't changed
- Needs to update
install.shas well (the script changes a lot more often than the keyring) - Needs to provide the user an option to opt-out
- Should probably use "Last-Modified", "ETag" or similar to avoid unnecessary downloads
- Auto-updates need to be documented in help page, documentation and changelog (there are serious security concerns with it)
- Should have a test
There was a problem hiding this comment.
this all together is far beyond my bash foo and also the time I can / want spend on this topic, sorry...
nevertheless, some comments from here...
-
=> make's sense but I couldn't find a (smart & easy) way how to check if the file was changed without downloading it. actually I did read plenty of "curl way" post / blogs, i.e. https://blog.yjl.im/2012/03/downloading-only-when-modified-using.html and https://www.thegeekstuff.com/2012/04/curl-examples/ but at the end it seems like curl ALLWAYS downloads the file to be able to check for a change... and as it's downloaded anyhow, I decided to implement it as it is
-
=> well, if the script itself should also be updated, neither this change nor the "update" option of the script makes any sense... because in other words you ask to make the already existing"update" option an always applied defauld (from my point of view, I wouldn't like this kind of change... I want to know and control when and why a tool gets updated)
-
=> see my comments on topic nr4
This reverts commit 41a1da1.
|
Hi, I'm really sorry for not responding (things are rather busy), but this shouldn't have been merged without review. I triggered a revert, s.t. this change doesn't get accidentally deployed before we are ready to announce it. I am aware that this is a very frustrating experience and I will try to be a lot more active next time and if you understandably decide to not resubmit, I will try to find time to champion it. Sorry. |
Hey Seb, no prob and no need for apologias. |
|
@AntonOks |
@wilzbach based on the dlang/dlang.org#2817 discussion