Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[question] conan manfiests and lockfile
See original GitHub issue- I’ve read the CONTRIBUTING guide.
I would like to use conan to manage my toolchain for various projects and I have done some work towards making this a possibility in https://gitlab.com/aucampia/proj/xonan.
The idea is that a user would check in a conanfile.txt with their toolchain (e.g. terraform, golang, etc) and conan.lock with their project, and then use xonan lenv install and xonan lenv exec -- terraform ... to use the tool. The one thing missing here is that I would like to also verify that installed/provided packages have the same manifests when someone else uses it to prevent the possiblity of someone somehow tampering with packages.
As far as I know the package manifests do not affect the package_id, which is the current unique identifier for packages, and while package_id will likely change if the manifests changes, this does not protect against maliciously crafted packages and tampering.
I could add support for “locking” manifests outside of conan, but I’m just wondering if this is not functionality that should go into conan itself? Maybe some option when enabled to include a hash of the manifest in the conan lockfile and then checking it when verifying the lockfile?
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks for the info. I’m closing this as my original question is answered as best possible I think, and I will open new questions for additional info on similar subjects.
Lockfiles can lock also the package revisions.
Yes, this should be doable with hooks. However, maybe you want to reconsider the feature, IMO it sounds a bit overkill given the trust model. You are hosting yourself your packages in your server, if someone manages to hack into there and tamper with the packages, probably you have much bigger problems. Because new versions and releases also happen, and once the server is compromised, the manifest checking will not help, as the new versions (which are compromised) will come with a new manifest that you need to accept as good, because there is not a previous snapshot of that manifest because it is a new version.