-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Since introduction of git 2.38 repo archive tar ball checksums are inconsistent with older releases #26620
Comments
Luckily, Gitea already supports a mechanism for changing git internal behavior. [git.config]
tar.tgz.command = gzip -cn
tar.tar.gz.command = gzip -cn The only problem is we cannot just set that as default as not everyone will have gzip installed. |
Ah, I didn't notice this section of the documentation. That is useful, thanks. |
Per suggestion in https://gitea.com/gitea/tea/issues/570, adding a note in here about the checksum mismatch that we have seen in the homebrew side, Homebrew/homebrew-core#139430 |
So I think this could be closed as it's related upstream. |
Description
Not entirely sure if this is a bug, a feature request or just an attempt to raise awareness of a potential issue to the community (I didn't see this mentioned in any other issue).
In short, the issue is that newer releases of Gitea do not produce
tar.gz
repo archives that are checksum-stable with older Gitea releases (dating back tov1.17.2
). For most clients this may not be an issue, but for us, who use Gitea as an important part of our supply-chain it has dire consequences.Details
It seems like somewhere between Gitea
v1.17.2
andv1.19.3
an upgrade of thegit
command line tool in theDockerfile
was made to2.38
(v1.19.3
appears to use2.38.5
). This brought with it a behavioral change in thegit archive
command, whichchanged its default behavior from using the
gzip(1)
command to using an internal zlib library (see commit).Since the
GetArchive
API call directly usesgit archive
under the hood, it means that thetar.gz
repository archives produced by Gitea are no longer checksum-stable. This may not have been an explicit promise of the Gitea API,but it is something that we relied upon.
Notably this issue was also faced by GitHub, who first reacted by letting clients know that this was never officially guaranteed by the API. Given the community outrage that followed and GitHub's important position in supply chains and supply chain tooling, GitHub soon rolled back the change (some more of this discussion is covered in this discussion)
On our end, to preserve the old
git archive
behavior, we needed to explicitly configure thegit
client used by Gitea like so:Discussion
If one relies on Gitea to produce checksum-stable repo archives, newer versions of Gitea will not be consistent with older releases. Where do we go from here?
At a minimum, I think this needs to be documented, although I would prefer to see something more substantial.
If Gitea wants to be a strong player in a world increasingly concerned with supply chain attacks and the likes, it might be good to actually make promises regarding checksum stable archives. Adding a few tests would be an easy way to prevent unintended changes to produced archives. Changing the default back to the old behavior (of using
gzip(1)
) like GitHub did could also be an option.Although a fix for this particular issue was outlined above, it does requires some "hackery" to get in place. One could perhaps consider exposing more of the
git
configuration through Gitea's own configuration "API"?Gitea Version
v1.19.3
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
Linux
How are you running Gitea?
Helm chart
Database
PostgreSQL
The text was updated successfully, but these errors were encountered: