AUR build using release instead of git tag

[FozzieHi]

I mentioned this on the AUR page, but as this repo pushes to the AUR I thought I'd mention it here.

Is there a reason why the vscodium package downloads the src from the release page instead of the git tag? I.e. why is https://github.com/VSCodium/vscodium/releases/download/1.91.1.24193/VSCodium-1.91.1.24193-src.tar.gz being used instead of https://github.com/VSCodium/vscodium/archive/refs/tags/1.91.1.24193.tar.gz?

I noticed that vscodium-git downloads straight from the branch, which obviously makes sense, so it does seem possible. I took a brief look at https://github.com/zokugun/github-actions-aur-releaser, where I saw @daiyam has contributed to both there and this repo, so I'm wondering if they know if it's possible to change it? Thanks!

[daiyam]

Both archives are identical. It's just to have an identical process between the Stable and Insiders versions. The Insiders versions are stored at https://github.com/VSCodium/vscodium-insiders and the tag archives are just the empty repository. github-actions-aur-releaser doesn't have anything to do on location of the archives since it's the PKGBUILD which indicates the url of the archive to use.

What are your concerns?

[FozzieHi]

Thanks. Your explanation makes sense, would it not be possible to use the main repo for the insiders AUR package as well?

The reason that I'm asking, is that if the PKGBUILD builds from source anyway, why download the src from the release archive instead of the repo itself? I'm certainly not saying anything nefarious is going on, but as we saw with the xz incident, it makes sense that if you're building from source, you're using the definitive version in the repo. The archive attached to the release could in theory be different if any malicious actors managed to sneak anything in.

Quoting from the XZ Utils backdoor wikipedia page:

A modified version of build-to-host.m4 was included in the release tar file uploaded on GitHub, which extracts a script that performs the actual injection into liblzma. This modified m4 file was not present in the git repository; it was only available from tar files released by the maintainer separate from git.

[daiyam]

• in PKGBUILD, there is a checksum validation of the archive while there is none for the git. So it would easier to sneak something directly in the repository.
• I use the tarball to lock the version. I think there was an issue when the git was breaking the build on Arch, that why I moved to the archive.
• released by the maintainer separate from git, it's the main issue for any project. This is why I make sure that the whole process to generate the release is fully open. All the archive are generated here, in the GitHub Actions by this repository.
• I'm pretty sure you can find out who I am IRL.

Back to your questions,

would it not be possible to use the main repo for the insiders AUR package as well?

It's possible but it would make things way harder for any benefits.

why download the src from the release archive instead of the repo itself?

It's just to have an identical process between the Stable and Insiders versions.

Oh, if you wonder about github-actions-aur-releaser, I am the owner of that project.

[FozzieHi]

Fair enough, if you don't think it's worth the tradeoffs, you know more about the project's CI/CD process than me.

I think you can put the source as git+github.com/VSCodium/vscodium#tag=1.91.1.24193 and then git will handle the validation for you. See how xz was changed from the release archive to the tag - https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad. I was looking for other examples, and vscodium-electron pulls it in this way as well - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=vscodium-electron

[daiyam]

I agree with you. We need to extra careful since we learned about the incident with xz. I remember learning about it on the Friday and though it would be a shitty week-end. But, hopefully, it was a botched attempt, it was catched in only 5 days and was impacting only some rolling distros.

Then for an IDE, there is the issue of the extensions... How safe are they?

The use of git...#tag= have its issues, a sneak maintainer can make a branch, push nefarious things and replace the tag with the "bad" commit (git tag -a -f 1.91.1.24193 <commitid>). At least, with the checksum, you are sure that the source won't change in the future.

[Narrat]

in PKGBUILD, there is a checksum validation of the archive while there is none for the git. So it would easier to sneak something directly in the repository.

Just want to note, that with pacman 6.1.x using #tag= will now create checksums https://gitlab.archlinux.org/pacman/pacman/-/blob/master/NEWS?ref_type=heads#L54

makepkg:
(...)
- Add checksum support for git/mercurial/bzr sources