Add new abstract methods for reporting source provenance#1997
Add new abstract methods for reporting source provenance#1997
Conversation
gtristan
requested review from
BenjaminSchubert,
abderrahim,
cs-shadow and
juergbi
as code owners
gtristan
force-pushed
the
tristan/sboms
branch
2 times, most recently
from
3c9f6fd to
0918528
Compare
|
We have been having the challenge with bst-to-lorry that we're missing a way for source to explicitly state relevant refspecs for git. Heuristically computed once are commonly incomplete or even wrong. So if there's API, it really should take this into account. The problem is that commonly in git repositories there are branches that need to be ignored (like pull request branches) since they are routinely force pushed to. Also with git_module it's common that upstream doesn't declare at all what the branch is from which commit originated. |
|
In terms of implementing this into plugins that currently use the internal API, would someone be able to write up an example plugin that uses the new API - I'm a little lost on the implementation semantics... |
gtristan
force-pushed
the
tristan/sboms
branch
3 times, most recently
from
e551c42 to
ea856b1
Compare
gtristan
changed the title
|
I've been testing this locally with freedesktop-sdk master and the sister merge requests applied:
And running: bst show --format $'%{name}\n%{source-info}' platform.bstThere are still more plugins to implement, notably we can have version guessing on the The |
See the core plugins in this PR (separate commits), or the changes in the sister PRs |
abderrahim
left a comment
abderrahim
left a comment
There was a problem hiding this comment.
I'm starting to like this, I left a few comments on how I think we can improve it.
|
Some additional thoughts now that I get down to business... Abolish the whole freeform string entirelyIn our meeting this week, we discussed that we would prefer to keep the flexibility and not require that And we discussed that we would instead prefer freeform strings for these attributes of the
Ok, this all makes sense, however now that I look at it again, I no longer see any need whatsoever of having the Instead we only need the following members:
Given that we can obtain the precise plugin and version for a given Automate the plugin specific documentationAs a separate thought, I feel like the need to associate the governing documentation of what a I think that while this can continue to be true, we could make this easier in the following way:
This approach would allow, from both a
|
I feel this pushes it too far in the opposite direction. This assumes a single mapping between a plugin kind and a (medium, version_type) pair, which isn't always the case. For instance the cargo2 plugin can use both tarballs and git repositories. Also plugins like git, git_repo and git_module are very similar in what they provide and having a user of the API need to know all the different plugins seems unweildy. The main goal behind having an API like this is to reduce the amount of knowledge that a user of the API needs about specific plugins.
"We" as humans, sure. But as a script using the API, having a well defined meaning for the version field and a standardized way to define things is very important. Even if a new value comes up later, then depending on the use case the script could output a warning or outright fail. But having it fail on every new plugin isn't scalable. |
|
[...]
Yeah, I was just now thinking about this one source with multiple source infos... its unfortunate :-/ For the different flavors of git, I'm less concerned, they could all be made to behave the same way, and in any case, they would probably anyway need to document what they mean (even if they share a freeform string) - if not, they are just taking advantage of a documented convention in upstream BuildStream (although that is still nasty because it makes BuildStream know what git is).
While this point is now moot due to the preceding point, I would have agrued that it is in fact humans which need to know "What to do with this specific plugin kind" when encountering one programatically. This is the same kind of documentation that will be needed for representing what the meaning of these free form strings are. Do you think there is any reason to have 2 different strings (one for the medium and one for the version) ? Or would it be sufficient to have a single string to define how a given |
|
[...]
I came to the following conclusions:
I've updated the branch to use |
gtristan
force-pushed
the
tristan/sboms
branch
5 times, most recently
from
14f8dfc to
ca338d5
Compare
|
This is now ready, documentation and testing and all, along with apache/buildstream-plugins#87 which is also ready to the same degree. And so is: https://gitlab.com/BuildStream/buildstream-plugins-community/-/merge_requests/364 |
gtristan
force-pushed
the
tristan/sboms
branch
6 times, most recently
from
09dedc2 to
5a95a84
Compare
abderrahim
left a comment
abderrahim
left a comment
There was a problem hiding this comment.
A few comments on the doucmentation, but otherwise looks good.
gtristan
force-pushed
the
tristan/sboms
branch
5 times, most recently
from
454610e to
fc11127
Compare
This is an opaque public data structure passed through SourceFetcher.fetch() which, if provided, must be used when invoking Source.translate_url()
This comes with some data classes to describe source provenance and versioning information.
This shows a list of all source provenance information for a given element, formatted in YAML.
The new man pages now include the bst version in them, and the documentation about generating man pages is also updated to specify that one should specify `tox -e man -- <version>`.
6 participants
This is an initial implementation for the proposal up at: https://lists.apache.org/thread/q6gxjpld2vb1c9rqlsv24m12c087snc4
Some thoughts about this approach:
This prioritizes machine readability and standardization of source provenance and version information
Sources have a lot of freedom in how they implement things, and so we may very well need to expand on the types and constants added here, such as
SourceInfoMedium,SourceVersionType, etc.The idea here is to have greater certainty about how sources are obtained, even if this cannot be covered by all currently existing source implementations (e.g. I didn't initially add a
bzrmedium for which we have a plugin, or acvsmedium for which we do not yet have a plugin).Aspirationally, forcing this data to be precise can allow adjacent tooling to do useful things.
This drops the freeform "public data" mentioned in the proposal discussion
My rationale for this choice in this branch, is that ultimately we want a data with a constant shape, and if for examlpe, we want the user to be able to override or assist a source with determining the reported "version", then the
Sourceimplementation already has everything it needs to do so:collect_source_info()however it wants.This does not yet attempt to cover the concept of tracking information
I would like to consider this, but we should think carefully about how this can be useful. For instance, some git plugins have different interpretations of what their "tracking" strings mean, sometimes following a branch head, sometimes looking for the latest tag in history which matches a given regular expression.
If we export this tracking information, it should probably be useful for external tooling to figure out how to do the tracking and come to the same conclusion, otherwise it is unclear what this is useful for.
This does not cover the CVE information
While the SourceInfo objects representing a source's provenance is a list, I believe that the CVE information continues to be a per-element concept.
For example, when we have applied security patches to a module, those security patches are, themselves, sources, with provenance of being revisioned in the local project