[liblzma] Workaround source repo having been disabled #37957
Conversation
https://github.com/tukaani-project/xz has been disabled. Use bminor's fork of xz until the liblzma project publishes a new official repository as proposed by @MichaelCurrie in a comment on microsoft#37839
There was a problem hiding this comment.
We have been explicitly asked by security folks to not change the upstream for liblzma at this time.
In particular, trying to grovel around for different mirrors leaves customers exposed to the original risk that caused the xz repo to be suspended and additional risks related to needing to trust whomever is operating the mirror
|
I mean it could be changed to the real upstream if github is not re-enabling the repo which it should have done at this point at least in archive/read-only mode. What are the security folks doing to unblock vcpkg users without an asset cache? |
idk what's there to trust tarball that has to hash up to a very specific sha512 otherwise it won't even extract. |
I browsed through all discussions yesterday and found some report the git.tukaani.org repository had bandwidth issues. Where we obtain the file from, for now, isn't really relevant, as the hash verifies the authenticity of the file, while the bmirror github account was the proposed one on the other thread.
Asset caches are not supposed to be a reliable source of data. If unused for a "while" (which varies between CIs and repository configurations) the asset cache contents will perish silently, if overstressed, the contents might perish, too. Caches usually aren't backup-ed, either, as their contents represent re-fetch-able data. Therefore, if a project is moved, or the CI is redeployed, the asset cache will be gone. It's just a matter of time until asset cached liblzma tarballs drop out of the cache. |
This port used to point to https://github.com/xz-mirror/xz (e9e1c40) which was archived just after the 5.4.4 tag (conveniently)? |
Setting up vcpkg tries to build xz from source, which fails because the entire xz repo has now been made private or taken down. The vcpkg team have been advised not to switch to an alternative repo [1], so for now our Windows builds will always fail. Turn those builds off, so that we don't get familiar with seeing red status markers on all PR's CI results. [1] microsoft/vcpkg#37957 - second comment is the vcpkg team's "We have been explicitly asked by security folks to not change the upstream [to a different repo] for liblzma at this time."
Setting up vcpkg tries to build xz from source, which fails because the entire xz repo has now been made private or taken down. The vcpkg team have been advised not to switch to an alternative repo [1], so for now our Windows builds will always fail. Turn those builds off, so that we don't get familiar with seeing red status markers on all PR's CI results. [1] `https://github.com/microsoft/vcpkg/pull/37957` - second comment is the vcpkg team's "We have been explicitly asked by security folks to not change the upstream [to a different repo] for liblzma at this time."
Setting up vcpkg tries to build xz from source, which fails because the entire xz repo has now been made private or taken down. The vcpkg team have been advised not to switch to an alternative repo [1], so for now our Windows builds will always fail. Turn those builds off, so that we don't get familiar with seeing red status markers on all PR's CI results. [1] `https://github.com/microsoft/vcpkg/pull/37957` - second comment is the vcpkg team's "We have been explicitly asked by security folks to not change the upstream [to a different repo] for liblzma at this time."
Setting up vcpkg tries to build xz from source, which fails because the entire xz repo has now been made private or taken down. The vcpkg team have been advised not to switch to an alternative repo [1], so for now our Windows builds will always fail. Turn those builds off, so that we don't get familiar with seeing red status markers on all PR's CI results. [1] `https://github.com/microsoft/vcpkg/pull/37957` - second comment is the vcpkg team's "We have been explicitly asked by security folks to not change the upstream [to a different repo] for liblzma at this time."
|
This has already impacted us over at https://github.com/wesnoth/wesnoth given that the vcpkg cache gets rebuilt every few days due to the Windows runner image frequently updating (#26601 (comment)) |
jimwang118
added
the
category:port-update
Setting up vcpkg tries to build xz from source, which fails because the entire xz repo has now been made private or taken down. The vcpkg team have been advised not to switch to an alternative repo [1], so for now our Windows builds will always fail. Turn those builds off, so that we don't get familiar with seeing red status markers on all PR's CI results. [1] `https://github.com/microsoft/vcpkg/pull/37957` - second comment is the vcpkg team's "We have been explicitly asked by security folks to not change the upstream [to a different repo] for liblzma at this time."
|
Since there are so many ports that depend on liblzma, I think we need to fix this ASAP. |
|
I agree with @JackBoosY that his PR should be applied immediately - 5.4 was not backdoored; we should not leave vcpkg liblzma in a broken state for over a week now. #38037 |
|
From official website, https://tukaani.org/xz/
could we use https://git.tukaani.org/xz.git instead? |
But
|
|
Thanks for the workaround attempt :) See #37841 (comment) : the repo should be public again. |
https://github.com/tukaani-project/xz has been disabled.
Use bminor's fork of xz until the liblzma project publishes a new official repository, as proposed by @MichaelCurrie in a comment on #37839 .
Fixes #37893
SHA512s are updated for each updated download.The "supports" clause reflects platforms that may be fixed by this new version.Any fixed CI baseline entries are removed from that file.Any patches that are no longer applied are deleted from the port's directory../vcpkg x-add-version --alland committing the result.