-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adguardhome: Bump to 0.107.55 #25521
base: master
Are you sure you want to change the base?
Conversation
Originally posted by @BKPepe in #25450 (comment) |
net/adguardhome/Makefile
Outdated
PKG_SOURCE_VERSION:=v$(PKG_VERSION) | ||
PKG_SOURCE_URL:=https://github.com/AdguardTeam/AdGuardHome | ||
PKG_MIRROR_HASH:=d74702bc4f8b82bda64a0a937a98e73ee602c21b9361c0c683671212e03e9316 | ||
PKG_SOURCE:=v$(PKG_VERSION).tar.gz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, please check how other packages have done for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels so nasty when we have a tarball for this but you just cant use it because of download.pl
And it's even worse when the git script is doing a full clone from the repository, it's almost 3x larger than the tarball from tags
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the size matter on the computer, which you are using for the buildsystem to evenutally to cross-compile packages for your devices? :-) I did not verify the size so far of your proposed solution, which says use upstream tag tarballs without the reason, why instead of the Git repo.
However, using Git sources is not preferred at least from my point of view. Its a big security risk, because if someone tinkers with the tarball, checksum is not verified anyhow. See: https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html
In your case, you might want to use codeload, though. If we are talking about using codeload or your proposed solution, dont forget, that the tarball is created by GitHub itself, which means that there isnt checksum to verify (see checksums.txt file) in their release. Sometimes autogenerated tarballs are missing some things, which are required to have to build the package and the tarball from GitHub can be changed anyhow and then the checksum is not valid (I havent experienced this case, yet, but others said yes...)
So, I dont find anything wrong to keep using Git sources, i still dont know the reason, why you did it. 🤷
We are not living in the ideal world.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do not repeat the same mistakes with libxz issue
And it's even worse when the git script is doing a full clone from the repository, it's almost 3x larger than the tarball from tags
also, why is the git script not doing shallow clones? does it pull the entire commit history?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vincejv May I ask what are you talking about, the xz backdoor incident? I can't understand why you are mentioning that here
And yes, in my case the script is doing a full clone.
Cloning into 'adguardhome-0.107.54'...
remote: Enumerating objects: 38166, done.
remote: Counting objects: 100% (76/76), done.
remote: Compressing objects: 100% (49/49), done.
Receiving objects: 1% (514/38166), 204.00 KiB | 15.00 KiB/s
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BKPepe because the script is doing a full clone, and for some reason my git keeps failing if trying to clone a very large repository, so I want to use tarballs instead.
Please forgive me for being so dumb, I still can't understand this... Even though the tarball is generated by Github, it's from a git tag, and in most cases it shouldn't change
We also have PKG_HASH
to check malicious tarballs in case someone tries to do something nasty
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Ra2-IFV exactly what you are trying to do, getting the code from the tarballs instead of the repository and the tarball contained tainted and malicious backdoor code, which was NOT present at all in the repository, no one was able to check as reviewing source code from tarballs is not part of the code review process.
so the attacker uploaded a tarball by himself, and it's different from the repository?
it was assumed the tarball = reviewed source code, but it was not, the maintainer injected code and blobs before signing and uploading the tarballs
See: https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html\
But from the wikipedia and other sources, Jia Tan gained trust from other developers and seems the malicious codes are already in the repository, he just signed off a new release..
Jia Tan gained the position of co-maintainer of XZ Utils and was able to sign off on version 5.6.0, which introduced the backdoor,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well let's back to the topic. I believe @BKPepe was talking about the filename at first.
Your PR will create a unidentifiable tarball with just some random numbers and it could lead potential conflict issue.
So again, please check other packages for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! I noticed that!
And the solution is PKG_SOURCE_URL:=https://codeload.github.com/vim/vim/tar.gz/v$(PKG_VERSION)?
Just copy pasted and replaced from xray package, so again thank you so much my dear teacher 😢
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uh sorry, that's for another pull request but almost the same.
3322bf8
to
e150e82
Compare
Should I change initrc files in a seprate commit? |
Yes |
Bump version to 0.107.55, change log in links below. Use tarballs from upstream tags instead of a Git repo. Link: https://github.com/AdguardTeam/AdGuardHome/milestone/90?closed=1 Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
e150e82
to
f42465a
Compare
Move working directory from `/var/adguardhome` to `/var/lib/adguardhome`, according to Linux FHS. Add option to store PID file, defaulting to `/run/adguardhome.pid`. Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
f42465a
to
ea9420a
Compare
don't know, this looks like to be an issue from upstream
…On January 3, 2025 2:13:52 AM UTC, gl-dude ***@***.***> wrote:
Has this PR or #25639 been confirmed to fix #25600?
Even though the AdGuard Home package hasn't been changed in months, it recently started to be compiled without the assets for the admin panel embedded into the executable.
--
Reply to this email directly or view it on GitHub:
#25521 (comment)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
|
Bump version to 0.107.54, change log in links below.
Use source from upstream tag tarballs instead of Git repo. Move working directory from
/var/adguardhome
to/var/lib/adguardhome
, according to Linux FHS.Add option to store PID file, defaulting to
/run/adguardhome.pid
.Link: https://github.com/AdguardTeam/AdGuardHome/milestone/89?closed=1
Maintainer: @dobo90 @1715173329
Compile tested: working on it
Run tested: not yet
Description: