Opened 12 years ago

Closed 5 months ago

Last modified 4 months ago

#38265 closed enhancement (fixed)

selfupdate should fetch tarball over HTTP

Reported by: raimue (Rainer Müller) Owned by: macports-tickets@…
Priority: Normal Milestone: MacPorts 2.10.0
Component: base Version: 2.1.3
Keywords: Cc: ryandesign (Ryan Carsten Schmidt), larryv (Lawrence Velázquez), umeshksingla (Umesh Singla)
Port:

Description

The selfupdate method currently gets base.tar via rsync, checks the .rmd160 signature, extracts it and then compares the version. This has the drawback that it always downloads the base source code (at least once) and keeps it on disk. Furthermore rsync might not be available for users behind firewalls, making selfupdate impossible for them at the moment.

Instead selfupdate should do the following:

  1. Download a single file indicating the latest version (similar to macports_version)
  2. Compare the latest version available with the current installed version. If latest version is installed, goto end.
  3. Fetch the tarball and .rmd160 signature from a mirror with the filenames MacPorts-${version}.tar.bz2{,.rmd160}
  4. Verify signature
  5. Extract source, build and install
  6. After successful installation, delete tarball, .rmd160 signature file and extracted source

The advantages of this approach:

  • The version is compared before downloading any files
  • Tarballs are only downloaded if a newer version is available
  • Fetch works over HTTP and thus allows operation behind firewalls

Attachments (1)

selfupdate-over-https-wip.patch (13.2 KB) - added by raimue (Rainer Müller) 7 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: ryandesign@… added

But this problem would go away and solve itself if we replaced the selfupdate mechanism with just using the MacPorts port, as proposed in wiki:SummerOfCode#self-management

comment:2 Changed 12 years ago by larryv (Lawrence Velázquez)

Cc: larryv@… added

Cc Me!

Changed 7 years ago by raimue (Rainer Müller)

comment:3 Changed 7 years ago by raimue (Rainer Müller)

I found this old patch lying around, which I write quite some time ago. It is a work in progress and mostly untested, but it can be used as a starting point if someone else wants to pick it up.

comment:4 Changed 7 years ago by umeshksingla (Umesh Singla)

Cc: umeshksingla added

comment:5 Changed 7 years ago by raimue (Rainer Müller)

Has duplicate #16954.

comment:6 Changed 2 years ago by jmroot (Joshua Root)

WIP PR that was linked from duplicate ticket https://github.com/macports/macports-base/pull/184

comment:7 Changed 5 months ago by neverpanic (Clemens Lang)

Resolution: fixed
Status: newclosed

In dd3acc4b974d274d922b705a9115ba1dc786104f/macports-base (master):

macports1.0: Selfupdate using HTTP(S)

Refactor the selfupdate package into smaller functions and switch to
a control flow of:

  1. checking for newer versions by downloading a single URL
  2. downloading the new version using HTTP when available
  3. verifying the signature using EdDSA with ed25519 elliptic curve crypto with the help of OpenBSD's signify(1)
  4. Fall back to the old rsync method if the above fails.

This allows us to automatically fall back to other mirrors should our
main mirror not be available. We did not have this functionality
available for our previous rsync-based mechanism.

Additionally, the use of our standard curl wrapper enables displaying
a progress bar for the download and automatically uses any proxies that
might already be configured for HTTP.

Since we currently do not have a standard mechanism to sign the source
code tarballs uploaded to our distfiles server and github releases page
(we only sign the tarball pushed to rsync), I've taken the liberty to
introduce a new modern signature scheme for this channel – if we have to
touch this anyway, we might as well use modern tools and algorithms.

Co-authored-by: Joshua Root <jmr@…>

Closes: #38265
Closes: https://github.com/macports/macports-base/pull/184

comment:8 Changed 4 months ago by jmroot (Joshua Root)

Milestone: MacPorts FutureMacPorts 2.10.0
Note: See TracTickets for help on using tickets.