From: Demi Marie Obenour <demiobenour@gmail.com>
To: Alyssa Ross <hi@alyssa.is>
Cc: Spectrum OS Development <devel@spectrum-os.org>
Subject: Re: [PATCH v2 5/8] release: Create directory with system update
Date: Thu, 13 Nov 2025 13:23:03 -0500 [thread overview]
Message-ID: <cd907c0f-c5c1-4779-aecf-7ea5b25ff312@gmail.com> (raw)
In-Reply-To: <87frahapgp.fsf@alyssa.is>
[-- Attachment #1.1.1: Type: text/plain, Size: 2977 bytes --]
On 11/13/25 11:04, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
>
>> Whenever a release is made, create a directory with the release files to
>> be used for an update. After its SHA256SSUMS file is signed, the file
>> is ready to be uploaded to a webserver for users to update from.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>> release.nix | 2 ++
>> release/update.nix | 30 ++++++++++++++++++++++++++++++
>> 2 files changed, 32 insertions(+)
>>
>> diff --git a/release.nix b/release.nix
>> index a4fe66ee5925aeee3a1f5f1fac249c595cee0885..704abb39a3d01152eac3dfe313066834c3cd0a66 100644
>> --- a/release.nix
>> +++ b/release.nix
>> @@ -8,5 +8,7 @@ import lib/call-package.nix ({ callSpectrumPackage }: {
>>
>> checks = callSpectrumPackage release/checks {};
>>
>> + updates = callSpectrumPackage release/update.nix {};
>> +
>
> Should this just be called "update" (singular)?
Sure!
>> combined = callSpectrumPackage release/combined/run-vm.nix {};
>> }) (_: {})
>> diff --git a/release/update.nix b/release/update.nix
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..ec51eb12d33030255b7b4a7e74e14416f1f0659d
>> --- /dev/null
>> +++ b/release/update.nix
>> @@ -0,0 +1,30 @@
>> +# SPDX-License-Identifier: MIT
>> +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross <hi@alyssa.is>
>> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
>> +
>> +import ../lib/call-package.nix (
>> +{ callSpectrumPackage, config, efi
>> +, runCommand, stdenv, rootfs
>> +}:
>> +
>> +runCommand "spectrum-update-directory" {
>> + __structuredAttrs = true;
>> + unsafeDiscardReferences = { out = true; };
>> + dontFixup = true;
>> + env = {
>> + VERSION = config.version;
>> + ROOTHASH = "${rootfs}/rootfs.verity.roothash";
>> + VERITY = "${rootfs}/rootfs.verity.superblock";
>> + ROOT_FS = "${rootfs}/rootfs";
>> + EFI = efi;
>> + };
>
> I'd just inline these as string interpolations rather than passing them
> as environment variables (except maybe VERSION).
In general, this is very bad practice and has caused security
vulnerabilities in GitHub Actions. These have even been exploited in
the wild. However, this is *not* a vulnerability in this context as
the input is trusted and known not to contain shell metacharacters.
I mostly wanted to avoid bad habits that are fine in the Nix context,
but not in others.
>> +} ''
>> + read -r roothash < "$ROOTHASH"
>> + mkdir -- "$out"
>> + cp -- "$VERITY" "$out/Spectrum_$VERSION.verity"
>> + cp -- "$ROOT_FS" "$out/Spectrum_$VERSION.root"
>> + cp -- "$EFI" "$out/Spectrum_$VERSION.efi"
>> + cd -- "$out"
>> + sha256sum -b "Spectrum_$VERSION.root" "Spectrum_$VERSION.verity" "Spectrum_$VERSION.efi" > SHA256SUMS
>> + ''
>> +) (_: {})
>>
>> --
>> 2.51.2
--
Sincerely,
Demi Marie Obenour (she/her/hers)
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2025-11-13 18:23 UTC|newest]
Thread overview: 177+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-29 10:12 [PATCH 0/7] System updates based on systemd-sysupdate Demi Marie Obenour
2025-10-29 10:12 ` [PATCH 1/7] host/rootfs: Use full util-linux and systemd Demi Marie Obenour
2025-10-29 11:36 ` Alyssa Ross
2025-11-01 3:25 ` Demi Marie Obenour
2025-11-01 12:13 ` Alyssa Ross
2025-11-06 9:15 ` Demi Marie Obenour
2025-10-29 10:12 ` [PATCH 2/7] release/combined: Compress installation image Demi Marie Obenour
2025-10-29 11:50 ` Alyssa Ross
2025-10-29 16:51 ` Alyssa Ross
2025-11-01 22:15 ` Demi Marie Obenour
2025-11-02 0:18 ` Demi Marie Obenour
2025-11-02 12:05 ` Alyssa Ross
2025-11-02 14:42 ` Alyssa Ross
2025-11-02 19:38 ` Demi Marie Obenour
2025-10-29 10:12 ` [PATCH 3/7] tools: Add directory checker for updates Demi Marie Obenour
2025-10-29 12:01 ` Alyssa Ross
2025-10-31 20:31 ` Demi Marie Obenour
2025-11-01 12:17 ` Alyssa Ross
2025-11-01 14:09 ` Alyssa Ross
2025-11-01 18:36 ` Demi Marie Obenour
2025-11-02 12:18 ` Alyssa Ross
2025-11-02 12:43 ` Alyssa Ross
2025-11-02 19:34 ` Demi Marie Obenour
2025-11-04 15:26 ` Alyssa Ross
2025-11-02 19:21 ` Demi Marie Obenour
2025-11-04 15:27 ` Alyssa Ross
2025-11-04 22:56 ` Demi Marie Obenour
2025-11-06 10:15 ` Alyssa Ross
2025-10-29 10:12 ` [PATCH 4/7] Adjust partition layout to support updates Demi Marie Obenour
2025-10-29 15:49 ` Alyssa Ross
2025-10-29 10:12 ` [PATCH 5/7] release: add install step Demi Marie Obenour
2025-10-29 12:20 ` Alyssa Ross
2025-10-29 10:12 ` [PATCH 6/7] Factor out dm-verity build rules Demi Marie Obenour
2025-10-29 12:22 ` Alyssa Ross
2025-10-31 6:39 ` Demi Marie Obenour
2025-10-29 10:12 ` [PATCH 7/7] Support updates via systemd-sysupdate Demi Marie Obenour
2025-10-29 15:48 ` Alyssa Ross
2025-11-12 22:14 ` [PATCH v2 0/8] System updates based on systemd-sysupdate Demi Marie Obenour
2025-11-12 22:14 ` [PATCH v2 1/8] host/rootfs: Install all programs from util-linuxMinimal Demi Marie Obenour
2025-11-13 12:35 ` Alyssa Ross
2025-11-12 22:14 ` [PATCH v2 2/8] host/rootfs: Install systemd-pull Demi Marie Obenour
2025-11-13 15:22 ` Alyssa Ross
2025-11-13 23:46 ` Demi Marie Obenour
2025-11-14 11:59 ` Alyssa Ross
2025-11-12 22:14 ` [PATCH v2 3/8] tools: Add directory checker for updates Demi Marie Obenour
2025-11-13 13:21 ` Alyssa Ross
2025-11-13 17:53 ` Demi Marie Obenour
2025-11-13 18:01 ` Alyssa Ross
2025-11-13 18:03 ` Demi Marie Obenour
2025-11-14 13:08 ` Alyssa Ross
2025-11-14 18:37 ` Demi Marie Obenour
2025-11-15 15:20 ` Alyssa Ross
2025-11-12 22:14 ` [PATCH v2 4/8] Adjust partition layout to support updates Demi Marie Obenour
2025-11-13 16:00 ` Alyssa Ross
2025-11-12 22:14 ` [PATCH v2 5/8] release: Create directory with system update Demi Marie Obenour
2025-11-13 16:04 ` Alyssa Ross
2025-11-13 18:23 ` Demi Marie Obenour [this message]
2025-11-13 19:09 ` Alyssa Ross
2025-11-12 22:15 ` [PATCH v2 6/8] Support updates via systemd-sysupdate Demi Marie Obenour
2025-11-13 16:44 ` Alyssa Ross
2025-11-13 20:25 ` Demi Marie Obenour
2025-11-14 12:14 ` Alyssa Ross
2025-11-14 23:16 ` Demi Marie Obenour
2025-11-20 14:56 ` Alyssa Ross
2025-11-20 19:42 ` Demi Marie Obenour
2025-11-12 22:15 ` [PATCH v2 7/8] Documentation: Update support Demi Marie Obenour
2025-11-13 16:49 ` Alyssa Ross
2025-11-13 22:24 ` Demi Marie Obenour
2025-11-14 12:16 ` Alyssa Ross
2025-11-12 22:15 ` [PATCH v2 8/8] lib/config.nix: Validate configuration parameters Demi Marie Obenour
2025-11-13 17:16 ` Alyssa Ross
2025-11-19 8:18 ` [PATCH v3 00/14] System updates based on systemd-sysupdate Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 01/14] host/rootfs: Install all programs from util-linuxMinimal Demi Marie Obenour
2025-11-19 14:14 ` Alyssa Ross
2025-11-20 0:12 ` Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 02/14] host/rootfs: Install systemd-pull Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 03/14] tools: Add directory checker for updates Demi Marie Obenour
2025-11-19 14:45 ` Alyssa Ross
2025-11-19 23:58 ` Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 04/14] scripts: port make-gpt.sh to bash Demi Marie Obenour
2025-11-20 10:28 ` Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 05/14] scripts/make-gpt.sh: Allow specifying partition size Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 06/14] Support generating multiple partition UUIDs Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 07/14] scripts: Use shell expansion to get partition path Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 08/14] Use OS version to set partition labels and UKI name Demi Marie Obenour
2025-11-20 12:11 ` Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 09/14] release: Compress installation images and remove live image Demi Marie Obenour
2025-11-20 12:14 ` Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 10/14] Add B partitions to installation images Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 11/14] release: Create directory with system update Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 12/14] Support updates via systemd-sysupdate Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 13/14] Documentation: Update support Demi Marie Obenour
2025-11-19 8:18 ` [PATCH v3 14/14] Validate configuration parameters Demi Marie Obenour
2025-11-22 1:23 ` [PATCH v4 00/14] System updates based on systemd-sysupdate Demi Marie Obenour
2025-11-22 1:23 ` [PATCH v4 01/14] host/rootfs: Install all programs from util-linuxMinimal Demi Marie Obenour
2025-11-25 11:56 ` Alyssa Ross
2025-11-22 1:23 ` [PATCH v4 02/14] host/rootfs: Install systemd-pull Demi Marie Obenour
2025-11-25 7:36 ` Alyssa Ross
2025-11-22 1:23 ` [PATCH v4 03/14] tools: Add directory checker for updates Demi Marie Obenour
2025-11-22 1:23 ` [PATCH v4 04/14] scripts: port make-gpt.sh to bash Demi Marie Obenour
2025-11-22 1:23 ` [PATCH v4 05/14] scripts/make-gpt.sh: Allow specifying partition size Demi Marie Obenour
2025-11-22 1:23 ` [PATCH v4 06/14] Support generating multiple partition UUIDs Demi Marie Obenour
2025-11-25 13:02 ` Alyssa Ross
2025-11-26 18:26 ` Demi Marie Obenour
2025-11-22 1:23 ` [PATCH v4 07/14] scripts: Use shell expansion to get partition path Demi Marie Obenour
2025-11-22 1:23 ` [PATCH v4 08/14] release: Compress installation images and remove live image Demi Marie Obenour
2025-11-25 13:19 ` Alyssa Ross
2025-11-25 22:38 ` Demi Marie Obenour
2025-11-28 11:09 ` Alyssa Ross
2025-11-28 19:45 ` Demi Marie Obenour
2025-11-22 1:23 ` [PATCH v4 09/14] Use OS version to set partition labels and UKI name Demi Marie Obenour
2025-11-25 14:11 ` Alyssa Ross
2025-11-22 1:23 ` [PATCH v4 10/14] Add B partitions to installation images Demi Marie Obenour
2025-11-25 16:31 ` Alyssa Ross
2025-11-22 1:23 ` [PATCH v4 11/14] release: Create directory with system update Demi Marie Obenour
2025-11-25 16:50 ` Alyssa Ross
2025-11-22 1:23 ` [PATCH v4 12/14] Support updates via systemd-sysupdate Demi Marie Obenour
2025-11-25 17:54 ` Alyssa Ross
2025-11-22 1:23 ` [PATCH v4 13/14] Documentation: Update support Demi Marie Obenour
2025-11-25 18:00 ` Alyssa Ross
2025-11-22 1:23 ` [PATCH v4 14/14] Validate configuration parameters Demi Marie Obenour
2025-11-25 18:06 ` Alyssa Ross
2025-11-25 12:22 ` [PATCH v4 00/14] System updates based on systemd-sysupdate Alyssa Ross
2025-11-26 19:40 ` [PATCH v5 00/13] " Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 01/13] tools: Add directory checker for updates Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 02/13] scripts: port make-gpt.sh to bash Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 03/13] scripts/make-gpt.sh: Allow specifying partition size Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 04/13] Port scripts/format-uuid.sh to awk Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 05/13] Use set and a command substitution to set UUID variables Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 06/13] scripts: Use shell expansion to get partition path Demi Marie Obenour
2025-11-28 11:20 ` Alyssa Ross
2025-11-26 19:40 ` [PATCH v5 07/13] release: Compress installation images and remove live image Demi Marie Obenour
2025-11-28 11:21 ` Alyssa Ross
2025-11-26 19:40 ` [PATCH v5 08/13] Use OS version to set partition labels and UKI name Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 09/13] Add B partitions to installation images Demi Marie Obenour
2025-11-28 11:23 ` Alyssa Ross
2025-11-26 19:40 ` [PATCH v5 10/13] release: Create directory with system update Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 11/13] Support updates via systemd-sysupdate Demi Marie Obenour
2025-11-28 13:47 ` Alyssa Ross
2025-11-28 20:27 ` Demi Marie Obenour
2025-11-28 20:41 ` Alyssa Ross
2025-11-28 20:44 ` Demi Marie Obenour
2025-11-28 21:08 ` Alyssa Ross
2025-11-28 21:28 ` Demi Marie Obenour
2025-11-28 21:30 ` Alyssa Ross
2025-11-26 19:40 ` [PATCH v5 12/13] Documentation: Update support Demi Marie Obenour
2025-11-26 19:40 ` [PATCH v5 13/13] Validate configuration parameters Demi Marie Obenour
2025-11-29 9:49 ` [PATCH v6 0/8] System updates based on systemd-sysupdate Demi Marie Obenour
2025-11-29 9:49 ` [PATCH v6 1/8] tools: Add directory checker for updates Demi Marie Obenour
2025-11-29 11:16 ` Alyssa Ross
2025-11-29 9:49 ` [PATCH v6 2/8] release: Compress installation images and remove live image Demi Marie Obenour
2025-11-29 11:16 ` Alyssa Ross
2025-11-29 9:50 ` [PATCH v6 3/8] Use OS version to set partition labels and UKI name Demi Marie Obenour
2025-11-29 11:16 ` Alyssa Ross
2025-11-29 9:50 ` [PATCH v6 4/8] Add B partitions to installation images Demi Marie Obenour
2025-11-29 11:16 ` Alyssa Ross
2025-11-29 9:50 ` [PATCH v6 5/8] release: Create directory with system update Demi Marie Obenour
2025-11-29 11:16 ` Alyssa Ross
2025-11-29 9:50 ` [PATCH v6 6/8] Support updates via systemd-sysupdate Demi Marie Obenour
2025-11-29 11:16 ` Alyssa Ross
2025-11-29 9:50 ` [PATCH v6 7/8] Documentation: Update support Demi Marie Obenour
2025-11-30 21:46 ` Alyssa Ross
2025-11-29 9:50 ` [PATCH v6 8/8] Validate configuration parameters Demi Marie Obenour
2025-11-26 19:33 ` [PATCH v4 00/13] System updates based on systemd-sysupdate Demi Marie Obenour
2025-11-26 19:33 ` [PATCH v4 01/13] tools: Add directory checker for updates Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 02/13] scripts: port make-gpt.sh to bash Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 03/13] scripts/make-gpt.sh: Allow specifying partition size Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 04/13] Port scripts/format-uuid.sh to awk Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 05/13] Use set and a command substitution to set UUID variables Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 06/13] scripts: Use shell expansion to get partition path Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 07/13] release: Compress installation images and remove live image Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 08/13] Use OS version to set partition labels and UKI name Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 09/13] Add B partitions to installation images Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 10/13] release: Create directory with system update Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 11/13] Support updates via systemd-sysupdate Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 12/13] Documentation: Update support Demi Marie Obenour
2025-11-26 19:34 ` [PATCH v4 13/13] Validate configuration parameters Demi Marie Obenour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd907c0f-c5c1-4779-aecf-7ea5b25ff312@gmail.com \
--to=demiobenour@gmail.com \
--cc=devel@spectrum-os.org \
--cc=hi@alyssa.is \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).