redownload pkgs when source hash verification fails #8500
Conversation
| if sz /= Sec.fileInfoLength (Sec.trusted fileInfo) | ||
| then return False | ||
| else Sec.compareTrustedFileInfo (Sec.trusted fileInfo) <$> Sec.computeFileInfo (Sec.Path file :: Sec.Path Sec.Absolute) | ||
| if infoVerified then return True else warn verbosity "whoops" >> return False) -- TODO |
There was a problem hiding this comment.
When you get around to this TODO, could you also make this more readable? The do in parens is hard to parse. E.g.,
Sec.withIndex repoSecure $ \callbacks -> do
let verification = do
fileInfo <- Sec.indexLookupFileInfo callbacks pkgid
sz <- Sec.FileLength . fromInteger <$> getFileSize file
if sz /= Sec.fileInfoLength (Sec.trusted fileInfo)
then return False
else Sec.compareTrustedFileInfo (Sec.trusted fileInfo) <$> Sec.computeFileInfo (Sec.Path file :: Sec.Path Sec.Absolute)
infoVerified <-
verification
`Sec.catchChecked` (\(e :: Sec.InvalidPackageException) -> warn verbosity (show e) >> return False)
`Sec.catchChecked` (\(e :: Sec.VerificationError) -> warn verbosity (show e) >> return False)
if infoVerified then return True else warn verbosity "whoops" >> return False) -- TODOwhich also changes the semantics slightly, probably resulting in a less puzzling warning if an exception occurs.
There was a problem hiding this comment.
Thanks for noticing the TODO. I refactored and cleaned up, but could not factor out into a let block as suggested -- the checked exceptions mechanism in hackage-security is fiddly, and trying some obvious things still resulted in a situation where the typechecker yelled at me. I'm sure it could be made to work, but I think the code after the refactor is sufficiently more clear.
|
I don't think this is very CI testable. The best way I can think to test it is to fetch a package, then go into the cached downloads, mess with the downloaded package, and then attempt another action on it. I don't necessarily think adding a new test here makes much sense. |
Co-authored-by: Hécate Moonlight <[email protected]>
mergify
bot
added
the
merge delay passed
| handleError act = do | ||
| res <- Safe.try act | ||
| case res of | ||
| Left e -> warn verbosity ("Error verifying fetched tarball " ++ file ++ ", will redownload: " ++ show (e :: SomeException)) >> pure False |
There was a problem hiding this comment.
Is this error message triggered if file simply does not exist?
There was a problem hiding this comment.
if it is, it's pretty urgent to fix, since it's causing a warning spam: #8571 (comment)
There was a problem hiding this comment.
Yes, this function verifyFetchedTarball is called only in one place in the code, for all elements of repoTarballPkgsWithMetadataUnvalidated, which seems to contain ids of any packages that come from a secure repo, regardless of whether they were ever downloaded:
There was a problem hiding this comment.
A solution would be to move the partitioning wrt if a package is already downloaded (the block containing checkRepoTarballFetched) earlier and apply it to allPkgLocations instead of repoTarballPkgsWithoutMetadata. Only packages that are already downloaded would then be checked for RepoSecure and then verified. Does that make sense?
There was a problem hiding this comment.
Or, better, avoiding some filesystem IO, partition repoTarballPkgsWithMetadataUnvalidated wrt if a package is already downloaded.
…load elim warning spam from #8500
Resolves #7451
(possibly)
Adds a call, when checking hashes in project planning, to also verify the hashes of existing tarballs downloaded from secure repos to make sure things haven't "changed out" as the might in the case of a mutable head.hackage or the like.