search

YunoHost-Apps / garradin_ynh

Logiciel libre de gestion associative pour YunoHost
https://garradin.eu/
GNU General Public License v3.0
7 stars 8 forks source link

Suggestion: Use official release API to always get the latest stable release #31

Closed bohwaz closed 1 year ago

bohwaz commented 3 years ago

Hello,

I recommend you use the official JSON API to always download the latest stable version: https://fossil.kd2.org/garradin/juvlist

This lists all current releases. You only need to extract the version from the file name and find out the latest one. Here is a quick and dirty example in JS:


fetch('./juvlist').then((r) => {
    r.json().then((list) => {
        let last;
        let selected;

        list.forEach((file) => {
            var v = file.name.match(/^garradin-(.*)\.tar\.bz2/);

            if (!v) {
                return;
            }

            if (!last || isNewerVersion(last, v[1])) {
                last = v[1];
                selected = file;
            }
        });

                console.log(`Latest release is ${last} available at: https://fossil.kd2.org/uv/${selected.name}`);
    });
});

That way you wouldn't have to update your package to change the URL and hash every time.

rodinux commented 3 years ago

Ok, I need time to see if it is possible to do with Yunohost and how, but it should be nice. For now I pushed the upgrade to version 1.0.2 in the testing branch, adding a file Utils.php to debug the uris as recommended... Keeping in memory that is perhaps a temporally solution, I have to remind trying remove this file on next release ? Thanks for your job.

alexAubin commented 3 years ago

We should discuss this in the app team because that's a bigger consideration than just this app ...

While it's indeed appealing to have some auto-fetch of the current version, we should be careful because:

On the other hand yes, it's a recurring issue to have to upgrade the version number for ~trivial upgrades of the app ... or even realize that there's a new version available. I was wondering if we could design some generic mecanism that would automatically create an issue or send a notification somehow to the app packagers that an update is available for an app (and even possibly auto-create a PR to be validated by the CI)

bohwaz commented 3 years ago
  • having an hard-coded version+hash (c.f. app.src) has its pros ... such as being resilient to attacks (i.e. if an attacker gains access to the project's infrastructure and is able to publish a malicious version ... that may sound stupid or unlikely, but in fact happened for at least one project in the past and we were able to warn the upstream maintainers about it precisely because we had an hard-coded version+hash)

I have just enabled signing of commits, so you should be able to check that a version is signed automatically by doing :

curl https://fossil.kd2.org/garradin/raw/dev | gpg --verify

Replace dev with the branch or tag you are trying to verify, eg. 1.0.3 or trunk. Note that for the moment I don't have any signed commit in a stable branch yet. My key is available on various keyservers: http://keys.gnupg.net/pks/lookup?op=get&search=0x92C9DA71B888EA34

I have also started signing the release files as well: download the .asc file here: https://fossil.kd2.org/garradin/uvlist and verify using:

gpg --verify garradin-1.0.3.tar.bz2.asc garradin-1.0.3.tar.bz2
  • the upstream project may push major or breaking changes that requires some non-trivial changes in the app scripts of configuration.

Yes that's why you should stick with minor updates, eg. 1.0.x as these should only be bugfix :)