Validate versions after downloading completed build
Closed this issue · 4 comments
openwrt/packages#24324 (comment) item 4
You should validate the core version as well as package versions returned by the server before proceeding to install. The user has confirmed a certain action, and you need to make sure that this is the action you are going to perform. It is unfortunately not so uncommon that the versions requested and versions delivered don't match, in that case you should abort with an error.
@dangowrt, what specifically are you thinking on this one?
-
Compare requested release (e.g.,
r26608-b2a84c86e3) to the one in the build manifest. If different, fail verification. Pretty sure imagebuilder is already doing this one, if you specify an older version then you getError: Received incorrect version r26474-87d5d38e2a (requested r26467-50e26e6fd7)message back from the ASU/image builder. -
For each package in the build request (
"dnsmasq-full": "2.90-r1"), verify that what we have inowut's package list is the same as what came back in the manifest.
Others?
Checking for packages (explicitly) requested but missing in the resulting manifest would be another thing which comes to mind (I don't think I implemented that in auc, but it would be nice to have).
I've added those checks, hacked in some test cases by changing the response and now report:
ERROR: Firmware revision mismatch: expected r26608-b2a84c86e3, but got r26608-b2a84c86e3xxx
ERROR: Firmware package version mismatch: 'dnsmasq-full', expected 2.90-r2, but got 2.90-r1
ERROR: Firmware missing requested package: 'htop'
I might fiddle with the exact wording before I commit...