x/mod/zip: verify file list without creating zip #36058
Comments
jayconrod
added
NeedsInvestigation
Incompatible changes would be fine too, I think: the latest tagged version of that repo is still |
This pre-receive git hook validates commits pushed to master branches to catch problems that would cause bad module versions to be produced. The golang.org/x/mod/zip package is used to verify that the module zip includes only the expected files and no others, and doesn't violate any of the restrictions placed on Go module zips. Improve consistency of parameter order across the codebase. Prefer to place module.Version first, source of data (repository and commit ID) second, because module version is higher level information. Use canonical "Www-Authenticate" header case to save an allocation. Fixes #35. Updates golang/go#36058.
|
Issue #37397 is related. It's worth considering that depending on the exact goal of a user, they may want to reproduce that vendor bug in order to ensure consistent behavior with A good high-level way of asking that question is whether the user goal is to stay within the rules of the module proxy protocol, or additionally within the |
That's a good way to phrase it. Perhaps
|
|
Change https://golang.org/cl/235597 mentions this issue: |
These functions may be used to check whether the files in an abstract list, a directory, or a module zip file satisfy the module name and size constraints listed in the package documentation. Each function returns a CheckedFiles record that lists valid, omitted, and invalid files, as well as any size-related error for the whole set of files. The omitted and invalid lists have an error for each file, saying why it was omitted or invalid. Create, CreateFromDir, and Unzip are now implemented using these functions (or common code). They now return errors based on CheckedFiles errors. Most error messages won't change, but if multiple files are invalid, they will be all be listed instead of just the first one. Fixes golang/go#36058 Updates golang/go#39091 Change-Id: I9d4d508288bbd821f93423e712232d8a68356529 Reviewed-on: https://go-review.googlesource.com/c/mod/+/235597 Run-TryBot: Jay Conrod <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Bryan C. Mills <[email protected]> Reviewed-by: Michael Matloob <[email protected]>
golang.org/x/mod/zipprovides aCreatefunction that takes a list of files ([]File). On success, it creates a zip file with some of those files. It ignores files in submodules and vendor directories and reports errors for files with invalid names or types (symbolic links). On failure, it reports an error on the first file that caused a problem.This is not the most useful API for clients creating zip files or verifying that a set of files can be used to create a zip file. Some improvements are possible without making incompatible changes to the API:
Verifyfunction that accepts[]Fileand reports whether each file in that list will be included, ignored, or rejected.Verifywould not create a zip file, and it would not read files (just stat to get sizes and types), so it should be faster thanCreate.Createencounters an error due to the[]Fileargument, it should return a structured error with information about each file. This should be similar to whatVerifyreturns (perhaps whateverVerifyreturns can satisfy theerrorinterface).Unzipshould also return a structured error so that issues with multiple zip entries can be reported.VerifyZipfunction which checks a zip file for errors without extracting it. Currently,Unzipalways needs a directory to write files.cc @dmitshur
The text was updated successfully, but these errors were encountered: