Demi Marie Obenour writes: > On 11/9/25 06:13, Alyssa Ross wrote: >> Demi Marie Obenour writes: >> >>> Should the values from config.nix be validated in any way? They are >>> obviously trusted, but it is very easy for the users to make mistakes >>> that could cause extremely confusing problems. For instance, the >>> update patch doesn't support URLs with a query string or a fragment >>> specifier. In fact, such URLs could get mangled. There are other >>> URLs that tools like curl will accept but which will break the build. >>> >>> Should these be validated with regular expressions before use? >>> That will result in build-time errors that at least somewhat point >>> to the source of the problem, rather than mysterious build-time or >>> runtime misbehavior. >> >> Is there a way we could prevent those URLs getting mangled? > > Only with some additional complexity. The URLs for SHA256SUMS and > SHA256SUMS.gpg are built by string concatenation, which breaks if there > is query string or fragment identifier. Also, certain characters in > URLs will cause globbing in curl. These characters are invalid and > should have been %-encoded. > >> Assuming no, we don't know of anybody currently using the configuration >> mechanism, so I wouldn't spend much time on it personally, but that >> doesn't necessarily mean that you shouldn't. Do it in separate patches >> at least though so it doesn't hold up higher priority stuff. > > The updater requires the configuration mechanism to work. Therefore, > I expect it to be used much more frequently in the future. The only > sensible defaults are those used by Spectrum itself, and the > corresponding URLs and signing keys don't exist yet. > > Should these patches be part of the same patch series or a separate > one? Up to you, as long as they come later in a series than everything more urgent.