Oftentimes, the file that is copied is stripped, in which case, the file
size is different. Using a file size check here means it will rerun the
strip and copy every time `fdroid update` is run for any image that needs
to be stripped. If the source's ctime is newer than the destination, then
the process should run since it is a newly created file. Even more so with
mtime, since the destination's mtime is reset based on the source's.
Package repos come from untrusted sources, in terms of the buildserver. They
should be handled in VMs and containers as much as possible to avoid
vulnerabilities. As far as I could tell, `fdroid update` only has a single
place where it executes any VCS system: if there is .fdroid.yml present in
a package repo, then it will fetch the commit ID using git.
For better security properties, this implements a simple function to just
read the files to get that commit ID. The function that executes git to do
the same thing is relabeled "unsafe". That is used for status JSON
everywhere, but that runs on fdroiddata.git and fdroidserver.git, which are
trusted repos.
The unsafe version is also used in places where git.Repo() is needed for
other things.
!1627 missed this, so stages only get included in running.json. That means
the stages info is only visible while update is running, making it hard to
use.
This file can be treated like the other index files in repo/. This also has
the advantage that it will automatically get synced by @CiaranG's existing
sync scripts.
dexdump is only available for certain CPU architectures. Google binaries
are for amd64 and arm64. Debian binaries are for amd64, arm64, armhf,
i386, and riscv64. That leaves out armel, ppc64el, s390x, loong64, etc.
where pure Python code runs perfectly fine.
Really, this is not meant to be set by the user in the config. But if they
add something harmless that'll be ignored anyway, it seems that throwing an
error is too much. So only throw the error if it is set wrongly.
`keypass: {env: keypass}` has been in use in production repos for
years. That is not anything new. It makes it possible to maintain
_config.yml_ publicly even when it needs secrets. This change makes
sure it is possible to use {env: foo} syntax anywhere where a string
value is valid. The "list of dicts" values can be str, list of str or
list of dicts with str.
Before the {env: keypass} syntax, the actual password was just inline
in the config file. Before this commit, it was only possible to use
{env: key} syntax in simple, string-only configs, e.g. from
examples/config.yml:
This outputs YAML in a string that is suitable for use in regexps
and string replacements, as well as complete files. It is therefore
explicitly set up to avoid writing out headers and footers.
This is a key piece of the ongoing `PUBLISH` _config.yml_ migration. There was uneven implementation of which YAML parser to use, and that could lead to bugs where one parser might read a value one way, and a different parser will read the value a different way. I wanted to be sure that YAML 1.2 would always work.
This makes all code that handles config files use the same `ruamel.yaml` parsers. This only touches other usages of YAML parsers when there is overlap. This does not port all of _fdroidserver_ to `ruamel.yaml` and YAML 1.2. The metadata files should already be YAML 1.2 anyway.
# Conflicts:
# fdroidserver/lint.py
This makes it easy to track all the places that use config.yml, and
hopefully makes things feel cleaner. This also standardizes all places
where config.yml is written out to use UTF-8 as the file encoding.
This also includes a lot of black code format fixes.
I don't think it is possible to automatically handle those cases, because
proxy setups can be so widely varied and can have privacy ramifications.
The person running the test who hits proxy errors will need to handle them
manually.
* It should include a subdir named after the test case.
* self.testdir is the common var name for this.
* tmp_repo is not a repo/ subdir, but instead the root of the whole repo
