Comments (15)
After looking around this seems like what is being asked for in #55 as well?
from obs-service-tar_scm.
Yes, in principal I'm in favour of something more flexible, as long as it doesn't introduce security holes.
from obs-service-tar_scm.
One approach might be to support something like this:
<param name="versionformat">%gd</param>
<param name="git-describe">--match='v[0-9]*'</param>
<param name="git-describe-sed">s/^v//; s/-g[0-9a-f]\{7\}$//; s/-/+/</param>
So that if the closest tag was v1.2.3
and there have been 4 commits since that tag, then the version would be 1.2.3+4
.
Although this has the limitation of only allowing a single string to be extracted from git describe
.
from obs-service-tar_scm.
@aspiers There a rpm version issue with +4, as this leads to the situation, where v1.2.3.1 would be seen below v1.2.3+1. Better would be using '~' instead of '+', as this is special cased.
from obs-service-tar_scm.
@frispete Right - thanks for the heads up on that :)
from obs-service-tar_scm.
Actually, I think a better way of solving this would be to allow execution of an arbitrary command (which could be a script within the package) which would be responsible for determining the version, e.g.
<param name="version-command">extract-git-version.sh</param>
or
<param name="version-command">git describe --match='v[0-9]*' | sed 's/^v//; s/-g[0-9a-f]\{7\}$//; s/-/+/'</param>
However this would allow arbitrary command execution within source service runs, which could be a gaping security hole. @adrianschroeter Are server-side source service runs done in a security-isolated sandbox? i.e. is this a problem we already have to deal with in other source services, or would it be introducing a big new security issue?
from obs-service-tar_scm.
On Dienstag, 21. Juni 2016, 04:52:30 CEST wrote Adam Spiers:
Actually, I think a better way of solving this would be to allow execution of an arbitrary command (which could be a script within the package) which would be responsible for determining the version, e.g.
this is IMHO not a good idea, it would make it quite dangerous to use the
service then.
It should be always safe to checkout and build a package source
without the need of checking the sources. Otherwise it is a security
issue.
<param name="version-command">extract-git-version.sh</param>
or
<param name="version-command">git describe --match='v[0-9]*' | sed 's/^v//; s/-g[0-9a-f]\{7\}$//; s/-/+/'</param>
However this would allow arbitrary command execution within source service runs, which could be a gaping security hole. @adrianschroeter Are server-side source service runs done in a security-isolated sandbox? i.e. is this a problem we already have to deal with in other source services, or would it be introducing a big new security issue?
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#60 (comment)
Adrian Schroeter
email: [email protected]
SUSE Linux GmbH, GF: Felix Imend�rffer, Jane Smithard, Graham Norton, HRB 21284 (AG N�rnberg)
Maxfeldstra�e 5
90409 N�rnberg
Germany
from obs-service-tar_scm.
OK, forget that idea then ;-)
from obs-service-tar_scm.
I wrote:
Although this has the limitation of only allowing a single string to be extracted from git describe.
Right now I can't think of a strong reason why that would be a problem. However even sed
scripts let you execute arbitrary commands so we would somehow need to sanitise them, which sounds really hard. Bah :-( Any other good suggestions?
from obs-service-tar_scm.
On Dienstag, 21. Juni 2016, 05:31:21 CEST wrote Adam Spiers:
I wrote:
Although this has the limitation of only allowing a single string to be extracted from git describe.
Right now I can't think of a strong reason why that would be a problem. However even
sed
scripts let you execute arbitrary commands so we would somehow need to sanitise them, which sounds really hard. Bah :-( Any other good suggestions?
Do you allow to inject sed regexp in one of our maintained services?
It is fine to have a personal service running at build time run any scripts though.
Adrian Schroeter
email: [email protected]
SUSE Linux GmbH, GF: Felix Imend�rffer, Jane Smithard, Graham Norton, HRB 21284 (AG N�rnberg)
Maxfeldstra�e 5
90409 N�rnberg
Germany
from obs-service-tar_scm.
Do you allow to inject sed regexp in one of our maintained services?
Not currently, but that was my previous suggestion.
It is fine to have a personal service running at build time run any scripts though.
Yeah, but at build-time is too late for determining the version, and that's the problem we're trying to solve here in a flexible manner. We could support the
<param name="version-command">extract-git-version.sh</param>
feature only for local source service runs, and disable on server-side runs, or do you even see that as a risk?
from obs-service-tar_scm.
@boombatower Now that we merged your commit 960d0ce in #132, is that sufficient, or do we still need something more?
from obs-service-tar_scm.
This is a different issue entirely, but up to you what you want to do with this. Such problems are fun as that commit took two years, hehe. :)
from obs-service-tar_scm.
I'm probably being stupid, but I don't see how it's an entirely different issue - isn't it now possible to accomplish what you originally requested here, using @PARENT_TAG@
, @TAG_OFFSET@
, and versionrewrite-{pattern,replacement}
? If not, please could you explain what's still missing? Thanks a lot!
from obs-service-tar_scm.
I think the original post sums up the idea.
For projects using git it seems to make sense to just use git describe directly instead of including all the parts in the format.
Perhaps %gd (gd = git describe)?
Sure one could use the versionrewrite to drop the v afterwards, but the idea was to use git describe directly. The idea being that the common patterns are either release tags or rolling commit based packages. Rather than have to copy/paste (after finding) or piece together all the parts for such a version why not just provide one built in? Currently, there are a variety of needless subtle differences between such packages including different separator characters like ~
, +
, etc and different date/commit styles.
If anything this could be re-purposed as simply @ROLLING_VERSION@
which is substitured for some combination of the existing variables like you mention.
from obs-service-tar_scm.
Related Issues (20)
- "osc service run" fails when using obs_scm and new git filter on the same repo twice
- tar.service only handles one obscpio file HOT 1
- KeyError: 'object_kind' in TarSCM/tasks.py on Leap 15.4 HOT 2
- Support different scm repository name in case of forks HOT 1
- obs_scm seems to broken on CentOS_8 HOT 7
- make included .git reproducible
- Service broken if .lock file left over by previous versions HOT 2
- Causes "unresolvable" error for Fedora 34+ HOT 3
- 'exclude' behaviour change in obs_scm HOT 1
- test fail on Fedora 37 HOT 4
- .obscpio file format hex code means? HOT 1
- obs_gbp: dpkg-scansources also finds any .dsc in the source clone
- Use numeric owner and group to avoid privacy leaking HOT 1
- Error with Python 3.12 due to deprecated and removed 'readfp' usage HOT 2
- Error in Fedora_Rawhide: AttributeError: 'RawConfigParser' object has no attribute 'readfp'. Did you mean: 'read'? HOT 1
- project top level has a directory with the same name as the branch, the pull will fail.
- Chooses the wrong tag in case of several tags being present HOT 1
- @TAG_OFFSET@ not working without a tag in versionformat
- Please provide better documentation
- We should default to main branches too HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from obs-service-tar_scm.