[Haskell-cafe] Improvements to package hosting and security
michael at snoyman.com
Thu Apr 16 10:32:06 UTC 2015
On Thu, Apr 16, 2015 at 1:12 PM Duncan Coutts <duncan at well-typed.com> wrote:
> On Thu, 2015-04-16 at 09:52 +0000, Michael Snoyman wrote:
> > Thanks for responding, I intend to go read up on TUF and your blog post
> > now. One question:
> > * We're incorporating an existing design for incremental updates
> > of the package index to significantly improve "cabal update"
> > times.
> > Can you give any details about what you're planning here?
> Sure, it's partially explained in the blog post.
> > I put together a
> > Git repo already that has all of the cabal files from Hackage and which
> > updates every 30 minutes, and it seems that, instead of reinventing
> > anything, simply using `git pull` would be the right solution here:
> > https://github.com/commercialhaskell/all-cabal-files
> It's great that we can mirror to lots of different formats so
> easily :-).
> I see that we now have two hackage mirror tools, one for mirroring to a
> hackage-server instance and one for S3. The bit I think is missing is
> mirroring to a simple directory based archive, e.g. to be served by a
> normal http server.
> From the blog post:
> The trick is that the tar format was originally designed to be
> append only (for tape drives) and so if the server simply
> updates the index in an append only way then the clients only
> need to download the tail (with appropriate checks and fallback
> to a full update). Effectively the index becomes an append only
> transaction log of all the package metadata changes. This is
> also fully backwards compatible.
> The extra detail is that we can use HTTP range requests. These are
> supported on pretty much all dumb/passive http servers, so it's still
> possible to host a hackage archive on a filesystem or ordinary web
> server (this has always been a design goal of the repository format).
> We use a HTTP range request to get the tail of the tarball, so we only
> have to download the data that has been added since the client last
> fetched the index. This is obviously much much smaller than the whole
> index. For safety (and indeed security) the final tarball content is
> checked to make sure it matches up with what is expected. Resetting and
> changing files earlier in the tarball is still possible: if the content
> check fails then we have to revert to downloading the whole index from
> scratch. In practice we would not expect this to happen except when
> completely blowing away a repository and starting again.
> The advantage of this approach compared to others like rsync or git is
> that it's fully compatible with the existing format and existing
> clients. It's also in the typical case a smaller download than rsync and
> probably similar or smaller than git. It also doesn't need much new from
> the clients, they just need the same tar, zlib and HTTP features as they
> have now (e.g. in cabal-install) and don't have to distribute
> rsync/git/etc binaries on other platforms (e.g. windows).
> That said, I have no problem whatsoever with there being git or rsync
> based mirrors. Indeed the central hackage server could provide an rsync
> point for easy setup for public mirrors (including the package files).
I don't like this approach at all. There are many tools out there that do a
good job of dealing with incremental updates. Instead of using any of
those, the idea is to create a brand new approach, implement it in both
Hackage Server and cabal-install (two projects that already have a massive
bug deficit), and roll it out hoping for the best. There's no explanation
here as to how you'll deal with things like cabal file revisions, which are
very common these days and seem to necessitate redownloading the entire
database in your proposal.
Here's my proposal: use Git. If Git isn't available on the host, then
revert to the current codepath and download the index. We can roll that out
in an hour of work and everyone gets the benefits, without the detriments
of creating a new incremental update framework.
Also: it seems like your biggest complaint about Git is "distributing Git."
Making Git an optional upgrade is one way of solving that. Another approach
is: don't use the official Git command line tool, but one of the many other
implementations out there that implement the necessary subset of
functionality. I'd guess writing that functionality from scratch in Cabal
would be a comparable amount of code to what you're proposing.
Comments on package signing to be continued later, I haven't finished
reading it yet.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Haskell-Cafe