Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linting for new packages not using git-checkout #1007

Open
dakaneye opened this issue Jun 28, 2024 · 1 comment
Open

Linting for new packages not using git-checkout #1007

dakaneye opened this issue Jun 28, 2024 · 1 comment
Labels
enhancement New feature or request needs-triage applied to all new customer/user issues. Removed after triage occurs.

Comments

@dakaneye
Copy link
Member

Description

The foundations squad has made a concerted effort to update some of our most used packages to use git-checkout over fetch.
Part of what enabled the xz attack is folks reliance on source distributions. We should be biasing towards git-checkout in as many places as we conceivably can to prepare for a world where we want to analyze the upstream source repository for health indications, and aligning around git-checkout makes this significantly more tractable.

Therefore, we would like the normal checks done (both in the public os and enterprise-packages and extra-packages) as part of the wolfictl lint to also make sure that source code is retrieved via git-checkout instead of fetch.

@dakaneye dakaneye added enhancement New feature or request needs-triage applied to all new customer/user issues. Removed after triage occurs. labels Jun 28, 2024
@rawlingsj
Copy link
Member

rawlingsj commented Jul 16, 2024

Are we thinking this should not be a required check? It looks like there's ~900 packages in wolfi that still use fetch, any automated package update will fail the new check. So maybe we start with a non required check?

Rough idea of Wolfi packages currently using fetch:
https://github.com/search?q=repo%3Awolfi-dev%2Fos+%22uses%3A+fetch%22&type=code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request needs-triage applied to all new customer/user issues. Removed after triage occurs.
Projects
None yet
Development

No branches or pull requests

2 participants