Replies: 9 comments 22 replies
-
Not every template is located on GitHub, so the digest should still make a sense for non-GitHub URLs |
Beta Was this translation helpful? Give feedback.
-
This seems to be an interesting take on the "curl pipe sh" debate, currently stuck in "curl + review + sh" limbo https://www.tumblr.com/curlpipesh https://docs.docker.com/engine/install/ubuntu/#install-using-the-convenience-script I suppose one could use IPFS, but that is as cumbersome as ORAS. Some people use anchors as a workaround. |
Beta Was this translation helpful? Give feedback.
-
That is my concern: it is just another option that clutters up the And it is not that the issue cannot be solved easily with a few lines of shell script, so I don't feel the need to provide a shortcut for a thing that nobody asked for. |
Beta Was this translation helpful? Give feedback.
-
I think I figured it out: the checksums should be an optional suffix on the template locator: $ limactl create https://example.com/templates/our.yaml@deadbeef This means we don't need extra parameters in the UI, and no extra fields in the implementation; the checksums ride for free in the locator string. And while I still don't think anybody will use this, it automatically provides for this: basedOn: template://fedora@feedc0de
provision:
- file: script.sh@decafbad If a locator ending in a @digest is passed to Things to bike-shed:
My bike-shed is blue with pink polka dots:
Having a compact format makes things easier to read/write without line wrapping, and 7 characters are plenty protection against accidental collision. People worrying about malicious changes can use the full checksum. @AkihiroSuda WDYT? |
Beta Was this translation helpful? Give feedback.
-
It can be sort of "forged", in the GitHub URL: $ curl https://raw.githubusercontent.com/lima-vm/lima/79529f879b566f02eacd705e1f8746ea7cb37a5b/DEMO-3019
Demo file for <https://github.com/lima-vm/lima/discussions/3019>.
This file will be visible via <https://raw.githubusercontent.com/lima-vm/lima/.../DEMO-3019>.
However, this file does not really belong to the <https://github.com/lima-vm/lima> repo. So, |
Beta Was this translation helpful? Give feedback.
-
I realized that the issue is more complex than just calculating digests of the template files: provision:
- file: script.sh Even if I have a digest for this template, it doesn't tell me if the So an obvious improvement would be to calculate the digest not on the raw template, but once it has been assembled (all dependencies have been embedded). But that digest is still a bit brittle: if Lima is updated, and either Another issue would be if the template in turn depends on one of our distro templates, e.g. And finally, if the template creation takes basedOn: "template://{{.Param.distro}}"
param:
distro: ubuntu Now I want to run
It may end up that we'll have to say: "If you want to use template digests, you have to use single-file templates, or you have to store the assembled template somewhere you control, and reference from there". So you could do something like limactl tmpl copy --embed --param distro=fedora https://templates.r.us/dynamic.yaml my-fedora.yaml
sha256sum my-fedora.yaml and then share the assembled template from your own web property. That way it will have a static digest. Anyways, this turns into a rabbit hole, and I think will be much easier to discuss once we have played with the mechanism a bit, and written a couple of multi-file templates, and seen what works well, and what doesn't. So let's revisit this in a couple of month... |
Beta Was this translation helpful? Give feedback.
-
Since keeping digest of many small files updated is such a chore1, I've been wondering about alternatives. Some way how you can sign both YAML and script files, and template assembly would then be able to verify that all pieces either have a matching digest, or are signed by a trusted party (like the Lima developers). I think I can figure out the signing part of the YAML and shell scripts (unless you tell me that the YAML files need to comply with the YAML spec to the letter and we can't create our own directive because they are all reserved). But the problem is the the signing tool, and the list of trusted parties. This sounds like GPG is the only option, and with that we have already lost 95% of the potential users. 😞 So, I currently don't see a way to make it work, but if you have some ideas... Footnotes
|
Beta Was this translation helpful? Give feedback.
-
A bike shedding for another microformat: |
Beta Was this translation helpful? Give feedback.
-
I would like to restart this discussion from actual use cases. I think digests are generally only needed to verify that a resource under external control is not being changed without the consumer being aware of it. Example templateThe Example company provides the basedOn: example.yaml
provision:
- script: foo.sh All the Example company templates are based on the basedOn: template://ubuntu
provision:
- file: example.sh The shell script content doesn't matter here. Use-case 1: Use Example's
|
Beta Was this translation helpful? Give feedback.
-
In #3009 (comment) @AkihiroSuda wrote:
I find this cumbersome to use. I think if you want a locator for an immutable template, you should use a content-addressable store to fetch it from instead of requiring an additional digest.
Trust assumptions:
Then you can use a raw commit id to point to a specific version of the template, e.g. to run the Lima 1.0.2 release version of
template://fedora
:We could add another scheme to download templates from OCI registries, but I would not spend any effort on it unless somebody really needs it.
These URLs will work fine with turning relative locators into absolute ones.
So I don't think we need any explicit support for checksumming template files.
As for using checksums for individual
basedOn
orfile
references, I think this is totally impractical. If this is important, then you would runlimactl template assemble
(or whatever we end up calling it) to embed everything into a single file, and then store a checksum for that.Beta Was this translation helpful? Give feedback.
All reactions