From: Dieken <Dieken@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: [PR PATCH] update-check: no partial response and not trust insecure certificate
Date: Sun, 02 Apr 2023 12:50:44 +0200 [thread overview]
Message-ID: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-43192@inbox.vuxu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 1827 bytes --]
There is a new pull request by Dieken against master on the void-packages repository
https://github.com/Dieken/void-packages stricter-update-check
https://github.com/void-linux/void-packages/pull/43192
update-check: no partial response and not trust insecure certificate
1. My network is slow, `./xbps-src update-check xorg-server` takes 50s and `./xbps-src update-check xorg-server-xwayland` takes 11s, `curl --max-time 10` returns partial response but no error. So I remove `--max-time 10` and add `-f` to forbid partial response. It's better to call `set -eo pipefail` for the whole script but I'm not sure whether it will break the script. The CI job or interactive execution can have their own timeout.
2. `-k` means `--insecure`, it's bad, we should always validate HTTPS server certificate.
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **YES**
<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->
<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64-musl
- armv7l
- armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/43192.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-stricter-update-check-43192.patch --]
[-- Type: text/x-diff, Size: 2226 bytes --]
From 1c6a56334ed9724fca11c7e1bfb29bf641dbf989 Mon Sep 17 00:00:00 2001
From: Yubao Liu <yubao.liu@gmail.com>
Date: Sun, 2 Apr 2023 18:36:33 +0800
Subject: [PATCH] update-check: no partial response and not trust insecure
certificate
1. My network is slow, `./xbps-src update-check xorg-server` takes 50s
and `./xbps-src update-check xorg-server-xwayland` takes 11s, `curl
--max-time 10` returns partial response but no error. So I remove
`--max-time 10` and add `-f` to forbid partial response. It's better
to call `set -eo pipefail` for the whole script but I'm not sure
whether it will break the script. The CI job or interactive execution
can have their own timeout.
2. `-k` means `--insecure`, it's bad, we should always validate HTTPS
server certificate.
---
common/xbps-src/shutils/update_check.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/xbps-src/shutils/update_check.sh b/common/xbps-src/shutils/update_check.sh
index cd3bb369bdb3..cd5c6ad7ff96 100644
--- a/common/xbps-src/shutils/update_check.sh
+++ b/common/xbps-src/shutils/update_check.sh
@@ -94,7 +94,7 @@ update_check() {
echo "(folder) fetching $urlpfx and scanning with $rx" 1>&2
fi
skipdirs=
- curl -A "xbps-src-update-check/$XBPS_SRC_VERSION" --max-time 10 -Lsk "$urlpfx" |
+ curl -A "xbps-src-update-check/$XBPS_SRC_VERSION" -Lsf "$urlpfx" |
grep -Po -i "$rx" |
# sort -V places 1.1/ before 1/, but 1A/ before 1.1A/
sed -e 's:$:A:' -e 's:/A$:A/:' | sort -Vru | sed -e 's:A/$:/A:' -e 's:A$::' |
@@ -200,7 +200,7 @@ update_check() {
if [ -n "$XBPS_UPDATE_CHECK_VERBOSE" ]; then
echo "fetching $url and scanning with $rx" 1>&2
fi
- curl -H 'Accept: text/html,application/xhtml+xml,application/xml,text/plain,application/rss+xml' -A "xbps-src-update-check/$XBPS_SRC_VERSION" --max-time 10 -Lsk "$url" |
+ curl -H 'Accept: text/html,application/xhtml+xml,application/xml,text/plain,application/rss+xml' -A "xbps-src-update-check/$XBPS_SRC_VERSION" -Lsf "$url" |
grep -Po -i "$rx"
fetchedurls[$url]=yes
done |
next reply other threads:[~2023-04-02 10:50 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-02 10:50 Dieken [this message]
2023-04-02 20:27 ` classabbyamp
2023-04-02 23:07 ` Dieken
2023-04-02 23:15 ` classabbyamp
2023-04-02 23:16 ` classabbyamp
2023-04-02 23:28 ` Dieken
2023-04-02 23:43 ` Duncaen
2023-04-02 23:43 ` classabbyamp
2023-04-02 23:56 ` Duncaen
2023-04-03 0:02 ` Duncaen
2023-04-03 0:13 ` Dieken
2023-04-03 0:17 ` Dieken
2023-07-02 2:10 ` github-actions
2023-07-16 2:13 ` [PR PATCH] [Closed]: " github-actions
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-43192@inbox.vuxu.org \
--to=dieken@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).