Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

experimental client: download functions review

See original GitHub issue

Current state of _mirror_target_download() and _mirror_meta_download() in experimental client is a bit bad:

they are actually iterators that keep returning unverified file objects to the caller, this seems unusual and surprising: I was expecting them to return a verified file object
caller is expected to verify the contents — this makes some sense as the verification is different for e.g. root metadata and other metadata and targets… but it should be made very clear that the file object is potentially malicious data at this point
none of the callers currently iterate these function results (they just raise if first result is invalid) so it’s not clear if mirrors actually work
NoWorkingMirrorError can’t be raised from these iterators like it now happens (on every iteration that fails), it does not make any sense
_mirror_target_download type annotation is wrong

I would suggest we revert to a known working design if possible (_mirror_target_download() could just be almost 1:1 the current clients _get_target_file() function but the metadata verification needs something else).

I’ll try to come up with something…

Issue Analytics

State:
Created 2 years ago
Comments:10 (10 by maintainers)

Top GitHub Comments

1reaction

jkucommented, Apr 26, 2021

Could pip solve that problem on its own?

By the way, in case I’ve not been clear about this: this is not an issue in how pip is designed, it’s an issue with how pypi hosts its files: One host (pypi.org) serves metadata and targets. These targets contain URLs that pip parses to find more host-URLs: these hosts only serve target files – currently the only host is pythonhosted.org but it could be anything.

Apart from parsing target files to find more hosts, this sounds completely reasonable: assuming that metadata and targets are on the same host (or that targets are all on one host) could be a mistake for TUF.

1reaction

trishankatdatadogcommented, Apr 22, 2021

Unfortunately pip does need multiple hosts for targets. It’s not quite the concept of mirrors (the hosts don’t have the same targets) but currently the mirrors configuration can be used for it with some wrestling

I don’t think this is a problem TUF should solve at the risk of added complexity, especially if it’s designed for only one use case in mind. Could pip solve that problem on its own?

Top Results From Across the Web

Understand experimental, preview, and retired features in ...

Learn about experimental, preview, and retired features. ... Consider using alternatives, and review the timelines as listed in the feature ...

Experimental construct libraries are now available in AWS ...

The AWS CDK v2 experimental APIs are now available as separate packages, in addition to the existing stable APIs. The AWS Cloud Development ......

Steam Deck review: Expect an experimental gaming experience

Theoretically, it's a powerful tool that could let you download games beyond your Steam library, including emulators. It's not easy to use ...

Progress in the experimental and computational methods of ...

The present article reviews the various experimental methods and theoretical models employed for work function measurement along with their merits and ...

Biases in the Experimental Annotations of Protein Function ...

In this work we analyzed the relative contribution of peer-reviewed articles describing all the experimentally derived annotations in UniProt- ...