From: Demi Marie Obenour <demiobenour@gmail.com>
To: Alyssa Ross <hi@alyssa.is>
Cc: Spectrum OS Development <devel@spectrum-os.org>
Subject: Re: config.nix validation?
Date: Sun, 9 Nov 2025 15:09:33 -0500 [thread overview]
Message-ID: <28029ec0-5976-4666-aa8b-7932cd82cccb@gmail.com> (raw)
In-Reply-To: <878qgf4fxi.fsf@alyssa.is>
[-- Attachment #1.1.1: Type: text/plain, Size: 1819 bytes --]
On 11/9/25 06:13, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
>
>> Should the values from config.nix be validated in any way? They are
>> obviously trusted, but it is very easy for the users to make mistakes
>> that could cause extremely confusing problems. For instance, the
>> update patch doesn't support URLs with a query string or a fragment
>> specifier. In fact, such URLs could get mangled. There are other
>> URLs that tools like curl will accept but which will break the build.
>>
>> Should these be validated with regular expressions before use?
>> That will result in build-time errors that at least somewhat point
>> to the source of the problem, rather than mysterious build-time or
>> runtime misbehavior.
>
> Is there a way we could prevent those URLs getting mangled?
Only with some additional complexity. The URLs for SHA256SUMS and
SHA256SUMS.gpg are built by string concatenation, which breaks if there
is query string or fragment identifier. Also, certain characters in
URLs will cause globbing in curl. These characters are invalid and
should have been %-encoded.
> Assuming no, we don't know of anybody currently using the configuration
> mechanism, so I wouldn't spend much time on it personally, but that
> doesn't necessarily mean that you shouldn't. Do it in separate patches
> at least though so it doesn't hold up higher priority stuff.
The updater requires the configuration mechanism to work. Therefore,
I expect it to be used much more frequently in the future. The only
sensible defaults are those used by Spectrum itself, and the
corresponding URLs and signing keys don't exist yet.
Should these patches be part of the same patch series or a separate
one?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2025-11-09 20:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-07 22:08 config.nix validation? Demi Marie Obenour
2025-11-09 11:13 ` Alyssa Ross
2025-11-09 20:09 ` Demi Marie Obenour [this message]
2025-11-09 21:10 ` Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28029ec0-5976-4666-aa8b-7932cd82cccb@gmail.com \
--to=demiobenour@gmail.com \
--cc=devel@spectrum-os.org \
--cc=hi@alyssa.is \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).