Skip to content

Cache bottle attestations#18581

Closed
carlocab wants to merge 2 commits intomasterfrom
attestation-cache
Closed

Cache bottle attestations#18581
carlocab wants to merge 2 commits intomasterfrom
attestation-cache

Conversation

@carlocab
Copy link
Member

@carlocab carlocab commented Oct 16, 2024

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

This will help limit the number of times we need to query GitHub for the
attestation in CI.

@carlocab
Cache bottle attestations
89645ad 
This will help limit the number of times we need to query GitHub for the
attestation in CI.
@carlocab carlocab requested a review from woodruffw October 16, 2024 13:59
MikeMcQuaid
MikeMcQuaid approved these changes Oct 16, 2024
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me! Does make me wonder whether this caching could/should be in Homebrew/brew, though?

carlocab
carlocab commented Oct 16, 2024
View reviewed changes
@carlocab
Copy link
Member Author

carlocab commented Oct 16, 2024

Does make me wonder whether this caching could/should be in Homebrew/brew, though?

That's where we're making this change!

@MikeMcQuaid
Copy link
Member

MikeMcQuaid commented Oct 16, 2024

That's where we're making this change!

I cannot read today 🙈 apologies!

MikeMcQuaid
MikeMcQuaid approved these changes Oct 16, 2024
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed this still looks good now I know what repository I'm in today 🙃

Library/Homebrew/cleanup.rb

sig { params(pathname: Pathname, scrub: T::Boolean).returns(T::Boolean) }
def stale_attestation?(pathname, scrub)
scrub || prune?(pathname, ATTESTATION_CLEANUP_DAYS)
Copy link
Member

@MikeMcQuaid MikeMcQuaid Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be nice if this could be cleaned up based on the state of the cached bottles? Not a blocker, very much nice-to-have.

@woodruffw @carlocab
Update Library/Homebrew/attestation.rb
67351de 
Co-authored-by: Carlo Cabrera <github@carlo.cab>
woodruffw
woodruffw reviewed Oct 16, 2024
View reviewed changes
Library/Homebrew/attestation.rb

if cached_attestation.exist?
begin
return JSON.parse(cached_attestation.read)
Copy link
Member

@woodruffw woodruffw Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to make sure I understand: the intended behavior here is to treat a cached attestation as implicitly previously verified, right?

I think we could go two ways with this: either assume cached == verified (which in turn means an attacker who can modify the cache/insert a dummy cache member can bypass verification, although such an attacker is already pretty powerful), or perform verification again on the cached attestation (so skip the download, but do the rest of the gh attestation verify).

The first seems fine to me, but the second is perhaps preferable.

Copy link
Member

@MikeMcQuaid MikeMcQuaid Oct 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first seems fine to me, but the second is perhaps preferable.

Agreed 👍🏻

@github-actions
Copy link

github-actions bot commented Nov 8, 2024

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale No recent activity label Nov 8, 2024
@woodruffw woodruffw added in progress Maintainers are working on this and removed stale No recent activity labels Nov 12, 2024
@MikeMcQuaid MikeMcQuaid removed the in progress Maintainers are working on this label May 21, 2025
@github-actions
Copy link

github-actions bot commented Jun 12, 2025

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale No recent activity label Jun 12, 2025
@github-actions github-actions bot closed this Jun 19, 2025
@github-actions github-actions bot deleted the attestation-cache branch June 19, 2025 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

@woodruffw woodruffw woodruffw left review comments

Assignees

No one assigned

Labels

stale No recent activity

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@carlocab @MikeMcQuaid @woodruffw