Errors are needed when referring to local things outside of the project
This currently includes:
- Referring to
localplugins fromproject.confusing relative paths which lead outside of the project directory - Referring to files or directories which lead outside of the project directory in
localsourcepath:configuration
Also relevant, is usage of symlinks in a project directory which lead outside of the project, but are in any way required to build the project, this can happen for both of the above mentioned cases (using proper paths which refer to symlinks which instead attempt to crawl out of the project directory).
In any of these cases, BuildStream should abort early with an error message.
Activity
mentioned in issue freedesktop-sdk/freedesktop-sdk#40 (closed)
mentioned in merge request !181 (merged)
mentioned in merge request bst-external!9 (merged)
mentioned in issue bst-external#2 (closed)
mentioned in issue #475 (closed)
mentioned in issue freedesktop-sdk/freedesktop-sdk#229 (closed)
Note that in order to avoid breaking builds, we need to wait for freedesktop-sdk/freedesktop-sdk#229 (closed) to be fixed in order to properly police and enforce the expected project behavior.
@tristanvb No need to wait for us: we depend on a specific version of bst, so no build will be broken, see freedesktop-sdk/freedesktop-sdk#229 (comment 88422229)
added To Do label
added Important label
added Blocker label
removed Important label
Some additional implementation notes:
- This needs a low level private API to do the grunt work of asserting a project path
- A project path must not escape the project
- A project path must not have symlink components which maliciously escape the project
- This function might raise an exception, or return a boolean
- For best convenience of plugin authors and user experience, we should add a public method to
Plugin- This belongs to the YAML node manipulation family, something like
Plugin.node_load_project_path() - This behaves similarly to calling
Plugin.node_get_member()when loading a string, except that it additionally validates the string using the privateutilsfunction mentioned above - If the project path is not a valid one, it raises a
PluginError()with the appropriateProvenance(seePlugin.node_provenance()etc)
- This belongs to the YAML node manipulation family, something like
-
localsource needs to use the newPluginAPI to load it's path -
patchsource needs to do the same -
ostreesource needs to do the same (for the loading of it's gpg file for validation) -
_project.pyneeds to also validate some paths, using a private utility- The
element-path - Paths related to local plugin loading locations
- The
Since we always raise the error when extracting the string from the YAML dictionary nodes, maybe we want the private API to be in
_yaml.pyinstead, or have a layer there at least; whichever makes more sense. Point being that we also want theProvenance(filename, line, column) information for any error we encounter at load time.- This needs a low level private API to do the grunt work of asserting a project path
assigned to @tacgomes
removed To Do label
added Doing label
mentioned in merge request !593 (merged)
mentioned in issue freedesktop-sdk/freedesktop-sdk#275 (closed)
mentioned in merge request !598 (merged)
removed Doing label
added Verify label
removed Verify label
mentioned in commit tchaik/gnome-build-meta@107d3d42
mentioned in commit 48cca433
mentioned in issue #946
marked this issue as related to #946
