Include locked melange config in control section #1622
Conversation
|
Does apk and apko somehow know to not treat .melange.json as a "normal" file? |
|
The other thought that I had is that this could leak data from a source yaml file that was assumed to be private. pipeline:
- runs: |
# here I put the comment in the body of a 'runs', which means
# it will make its way into the binary output
make mushrooms
# NB: I think that anyone that likes mushrooms or green bikesheds should go jump in a lake |
|
This does mean that a re-build of a package will be not bit for bit identical binary output if any dependencies were updated. |
Yes, and I think that's a feature and not a bug. It's very likely that if a build dependency changed the resulting package would be different anyway, and this makes it easier to determine if a package is reproducible given the same exact dependency package-versions or not. |
Yep! APKs have gzip splits between sections. It looks like a single tar.gz file but it's essentially 2 (or 3 with signatures) gzip streams concatenated together.
The control section contains metadata files about the package at the beginning, including |
jonjohnsonjr
force-pushed
the
provenance
branch
2 times, most recently
from
22ade9d to
a11a391
Compare
I have addressed this by using github.com/mvdan/sh to parse the |
|
After much deliberation I think I am going to serialize this as yaml so that it's similar to the input format and more familiar to anyone viewing it. I know there are tools to convert json to yaml, but I feel like this will be a point of friction regardless. The biggest thing for me is that yaml supports multi-line strings, which we use extensively, and having to pipe everything through a conversion tool is annoying. |
jonjohnsonjr
force-pushed
the
provenance
branch
2 times, most recently
from
f54624a to
533589a
Compare
huh. yaml is a strict superset of json, isn't it? the zip.json is'nt pretty , but it should be identical when loaded. |
|
I retact my statement above. you were interested in the readability of the content. which i think is valid. |
This adds a .melange.json file to the control section of each built APK which includes the locked (resolved and apko-solved) melange configuration used to build the package. Out of an abundance of caution, this also strips comments from the runs of any pipelines to avoid embedding them in the APKs. I've also hoisted the "If" field in pipeline to the top to match how that's usually used (as the first field, if present). Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
jonjohnsonjr
force-pushed
the
provenance
branch
from
533589a to
8c72cce
Compare
| @@ -52,6 +52,7 @@ func TestInheritWorkdir(t *testing.T) { | |||
| WorkDir: "/work", | |||
| Pipeline: []config.Pipeline{{}, { | |||
| WorkDir: "/do-not-inherit", | |||
| Runs: "#!/bin/bash\n# hunter2\necho $SECRET", | |||
This attempts to fix our ability to parse shell code with `melange` by working around parsing bugs in https://github.com/mvdan/sh in a way that hopefully doesn't actually change build logic. We first noticed this problem while seeing wolfictl's CI failing on the latest bump of melange: https://github.com/wolfi-dev/wolfictl/actions/runs/12088082103/job/33710862119?pr=1345 Related to chainguard-dev/melange#1622 cc: @jonjohnsonjr @imjasonh --------- Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
This adds a .melange.yaml file to the control section of each built APK which includes the locked (resolved and apko-solved) melange configuration used to build the package.
I've fixed the
one-arch.yamlexample because it didn't parse properly and wanted to use it as an example because it contains a test.One thing worth noting is that the test images aren't resolved here because we don't resolve them at build time. I think this is fine.
There are also a bunch of fields that we could probably make more omitempty-y by switching to pointers if we wanted to make this output a little more terse, but I'm reluctant to do that as part of this change.