hgweb: reproducible archives
Gregory Szorc
gregory.szorc at gmail.com
Sat Apr 7 05:51:22 UTC 2018
On Sat, Mar 24, 2018 at 1:01 PM, Alexander Sergeyev <sergeev917 at gmail.com>
wrote:
> On Sat, Mar 24, 2018 at 01:59:33PM -0400, Augie Fackler wrote:
>
>> If you need checksummable archives, depending on the output of `hg
>> archive` to be stable from one invocation to the next is probably
>> imprudent, unfortunately.
>>
>
> Yes, I think this is pretty reasonable to expect.
>
> I did some digging in mercurial sources. The web request handler is at [1]
> and more or less just using archival module. Apparently, the order of files
> should not be a problem since the file list is sorted and pushed one-by-one
> into the resulting archive [2]. File modification time look deterministic
> too since the changeset mtime is used for all files.
>
> Still, the reason for introducing file sorting was not reproducibility [3]
> and I can't find an indication that checksummable archives were considered
> to be a feature. This does not prove anything, since the entire pipeline
> must be deterministic (including compression itself), and there could be
> complications (see [4], [5]).
>
> Unfortunately, the whole situation means delays in rolling out a firefox
> release with security patches [6]:
>
> So gentoo will have to create and mirror a specific tarball on its own as
>> well to avoid random digest errors (and the legality of this will need to
>> be re-checked as well against the latest MPL).. It's administrivia, but
>> necessary nevertheless.
>>
>
> [1] https://www.mercurial-scm.org/repo/hg/file/tip/mercurial/hgw
> eb/webcommands.py#l1133
> [2] https://www.mercurial-scm.org/repo/hg/file/tip/mercurial/arc
> hival.py#l322
> [3] https://www.mercurial-scm.org/repo/hg/rev/51932c835b74
> [4] https://stackoverflow.com/questions/45035782
> [5] https://superuser.com/questions/705877
> [6] https://bugs.gentoo.org/650472
>
I audited the archival code a few weeks ago as part of <day job> and my
conclusion was that it is deterministic. However, the .hg_archival.txt file
may not be deterministic, depending on how it is configured and how the
repository changes over time.
https://bugzilla.mozilla.org/show_bug.cgi?id=1432591#c22 has the full
context.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial/attachments/20180406/07981f00/attachment.html>
More information about the Mercurial
mailing list