diff options
| author |   Olaf Mandel <o.mandel@menlosystems.com> | 2022-03-24 17:47:59 +0100 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-26 09:27:05 +0000 |
| commit | 0178ab83e6312e97e528aa8c5e12105f5165d896 (patch) | |
| tree | d9c5652d8e2a91702e4bbf8ded3981a1e0151ac2 | |
| parent | 2c414f659d793d732041614caedd773959eb4f27 (diff) | |
| download | bitbake-0178ab83e6312e97e528aa8c5e12105f5165d896.tar.gz | |
fetch2/git: stop generated tarballs from leaking info
When using BB_GENERATE_MIRROR_TARBALLS="1" to generate mirror tarballs
of git repositories, they leaked local information: username, group and
time of the last fetch. Remove all these by setting fixed information:
* uname = pokybuild
* gname = users
* mtime = committer time of newest commit in repo
The username and group value were taken from the archives available on
the downloads.yoctoproject.org mirror. The modification time is chosen
so it still retains some relationship to the contents of the archive.
Signed-off-by: Olaf Mandel <o.mandel@menlosystems.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | lib/bb/fetch2/git.py | 5 | ||||
| -rw-r--r-- | lib/bb/tests/fetch.py | 30 |
2 files changed, 34 insertions, 1 deletions
diff --git a/lib/bb/fetch2/git.py b/lib/bb/fetch2/git.py index b3c5e6dac..4d06a5719 100644 --- a/lib/bb/fetch2/git.py +++ b/lib/bb/fetch2/git.py @@ -462,7 +462,10 @@ class Git(FetchMethod): logger.info("Creating tarball of git repository") with create_atomic(ud.fullmirror) as tfile: - runfetchcmd("tar -czf %s ." % tfile, d, workdir=ud.clonedir) + mtime = runfetchcmd("git log --all -1 --format=%cD", d, + quiet=True, workdir=ud.clonedir) + runfetchcmd("tar -czf %s --owner pokybuild --group users --mtime \"%s\" ." + % (tfile, mtime), d, workdir=ud.clonedir) runfetchcmd("touch %s.done" % ud.fullmirror, d) def clone_shallow_local(self, ud, dest, d): diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index eff12b7c5..233ecae73 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -11,6 +11,7 @@ import hashlib import tempfile import collections import os +import tarfile from bb.fetch2 import URI from bb.fetch2 import FetchMethod import bb @@ -628,6 +629,35 @@ class GitShallowTarballNamingTest(FetcherTest): self.assertIn(self.mirror_tarball, dir) +class CleanTarballTest(FetcherTest): + def setUp(self): + super(CleanTarballTest, self).setUp() + self.recipe_url = "git://git.openembedded.org/bitbake" + self.recipe_tarball = "git2_git.openembedded.org.bitbake.tar.gz" + + self.d.setVar('BB_GENERATE_MIRROR_TARBALLS', '1') + self.d.setVar('SRCREV', '82ea737a0b42a8b53e11c9cde141e9e9c0bd8c40') + + @skipIfNoNetwork() + def test_that_the_tarball_contents_does_not_leak_info(self): + fetcher = bb.fetch.Fetch([self.recipe_url], self.d) + + fetcher.download() + + fetcher.unpack(self.unpackdir) + mtime = bb.process.run('git log --all -1 --format=%ct', + cwd=os.path.join(self.unpackdir, 'git')) + self.assertEqual(len(mtime), 2) + mtime = int(mtime[0]) + + archive = tarfile.open(os.path.join(self.dldir, self.recipe_tarball)) + self.assertNotEqual(len(archive.members), 0) + for member in archive.members: + self.assertEqual(member.uname, 'pokybuild') + self.assertEqual(member.gname, 'users') + self.assertEqual(member.mtime, mtime) + + class FetcherLocalTest(FetcherTest): def setUp(self): def touch(fn): |