[RPKI] routinator download-during-build
Havard Eidnes
he at uninett.no
Mon May 6 07:43:40 UTC 2024
Hi,
I'm the maintainer of the pkgsrc package for routinator, ref.
https://github.com/NetBSD/pkgsrc/tree/trunk/net/routinator
In pkgsrc we have code to extract cargo dependencies, to download
them in a separate "fetch" phase, checksum all the constituent
components and verify that none of the components have changed
since the program was packaged. As part of this there has always
been an implicit policy to disallow "downloads" during the
"build" phase, for several reasons:
* Components may change in unverified manners
* The build system may be offline
* The build may produce different results compared to what it
did when the program was packaged
and recently constructs were added to pkgsrc to enforce this "no
downloads during the build phase" by setting a proxy URL with a
non-resolvable host name during that phase.
And ... of course, routinator trips up over this check. The
build.rs program in the routinator-ui crate has explicit code to
itself download routinator-ui-build.tar.gz from github, and this
would then constitute a violation of the above rules.
I guess there are "reasons" why this code is there, and the
routinator-ui-build.tar.gz contents can't be referred to by an
entry in a Cargo.toml file? It is however annoying if not to say
disconcerning that we can't verify all the constituent components.
Can anything be done to routinator to not violate the "no
download during build phase" rule?
Best regards,
- Håvard
More information about the RPKI
mailing list