hlrs-software-stack/spack
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
spack/.github/workflows
History
Scott Wittenburg 70824e4a5e
buildcache: Update layout and signing (#30750) 
This PR introduces a new build cache layout and package format, with improvements for
both efficiency and security.

## Old Format
Currently a binary package consists of a `spec.json` file at the root and a `.spack` file,
which is a `tar` archive containing a copy of the `spec.json` format, possibly a detached
signature (`.asc`) file, and a tar-gzip compressed archive containing the install tree.

```
build_cache/
  # metadata (for indexing)
  <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spec.json
  <arch>/
    <compiler>/
      <name>-<ver>/
        # tar archive
        <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spack
          # tar archive contents:
          # metadata (contains sha256 of internal .tar.gz)
          <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spec.json
          # signature
          <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spec.json.asc
          # tar.gz-compressed prefix
          <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.tar.gz
```

After this change, the nesting has been removed so that the `.spack` file is the
compressed archive of the install tree.  Now signed binary packages, will take the
form of a clearsigned `spec.json` file (a `spec.json.sig`) at the root, while unsigned
binary packages will contain a `spec.json` at the root.

## New Format

```
build_cache/
  # metadata (for indexing, contains sha256 of .spack file)
  <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spec.json
  # clearsigned spec.json metadata
  <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spec.json.sig
  <arch>/
    <compiler>/
      <name>-<ver>/
        # tar.gz-compressed prefix (may support more compression formats later)
        <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spack
```

## Benefits
The major benefit of this change is that the signatures on binary packages can be
verified without:

1. Having to download the tarball, or
2. having to extract an unknown tarball.

(1) is an improvement in efficiency; (2) is a security fix: we now ensure that we trust the
binary before we try to run it through `tar`, which avoids potential attacks.

## Backward compatibility
Also after this change, spack should still be able to handle the previous buildcache
structure and binary mirrors with mixed layouts.
2022-05-24 17:39:20 -04:00
..
bootstrap.yml Run scheduled CI workflows only in the main repo (#30729) 2022-05-19 21:35:52 +02:00
build-containers.yml build(deps): bump actions/upload-artifact from 3 to 3.1.0 (#30778) 2022-05-21 08:57:19 +02:00
execute_installer.ps1 Add Github Actions for Windows (#24504) 2022-03-17 09:01:01 -07:00
generate_spack_yaml_containerize.sh Update Dockerfiles and images for Spack v0.18.0 (#30216) 2022-04-22 08:51:26 +02:00
install_spack.sh Update actions/setup-python to latest version (#28634) 2022-01-28 14:17:59 +01:00
macos_python.yml Run scheduled CI workflows only in the main repo (#30729) 2022-05-19 21:35:52 +02:00
setup_git.ps1 buildcache: Update layout and signing (#30750) 2022-05-24 17:39:20 -04:00
setup_git.sh Use bash in setup_git.sh (#27676) 2021-11-26 18:03:05 +00:00
system_shortcut_check.ps1 Add Github Actions for Windows (#24504) 2022-03-17 09:01:01 -07:00
unit_tests.yaml build(deps): bump actions/checkout from 2 to 3.0.2 (#30235) 2022-04-27 13:47:50 +02:00
windows_python.yml build(deps): bump actions/upload-artifact from 3 to 3.1.0 (#30778) 2022-05-21 08:57:19 +02:00