Skip to content

two package hash breaking enhancements #14511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 2, 2023
Merged

two package hash breaking enhancements #14511

merged 2 commits into from
Feb 2, 2023

Conversation

andrewrk
Copy link
Member

@andrewrk andrewrk commented Feb 2, 2023

This enhances Zig to use multihash for the hash field in package manifests, closing #14284.

Additionally, it adds the executable bit and file paths to package hashes, closing #14308.

Unfortunately, due to the Windows equivalent of executable permissions being a bit tricky, there is follow-up work to be done.

What is done in this commit is the hash modifications. At the fetch layer, executable bits inside packages are ignored. In the hash
computation layer, executable bit is implemented for POSIX but not yet for Windows. This means that the hash will not break again in the future for packages that do not have any executable files, but it will break for packages that do.

Or, perhaps, I could make the decision that zig packages will unconditionally erase the executable bit from all files in a package. This would potentially be useful for packages that want to be distributed via mechanisms that do not contain this metadata. It would also be simpler to implement, since it is already implemented, and there is nothing further to be done.

what the new hash field looks like

Unfortunately, due to the Windows equivalent of executable permissions
being a bit tricky, there is follow-up work to be done.

What is done in this commit is the hash modifications. At the fetch
layer, executable bits inside packages are ignored. In the hash
computation layer, executable bit is implemented for POSIX but not yet
for Windows. This means that the hash will not break again in the future
for packages that do not have any executable files, but it will break
for packages that do.

This is a hash-breaking change.

Closes #14308
https://multiformats.io/multihash/

Still, only SHA2-256 is supported. This is only intended to future-proof
the hash field of the manifest.

closes #14284
@andrewrk andrewrk added enhancement Solving this issue will likely involve adding new logic or components to the codebase. breaking Implementing this issue could cause existing code to no longer compile or have different behavior. zig build system std.Build, the build runner, `zig build` subcommand, package management labels Feb 2, 2023
@andrewrk andrewrk merged commit 7505d19 into master Feb 2, 2023
@andrewrk andrewrk deleted the zig-build-hashes branch February 2, 2023 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking Implementing this issue could cause existing code to no longer compile or have different behavior. enhancement Solving this issue will likely involve adding new logic or components to the codebase. zig build system std.Build, the build runner, `zig build` subcommand, package management
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant