wolfictl icon indicating copy to clipboard operation
wolfictl copied to clipboard
verified publisher icon wolfi-dev

Linting for new packages not using git-checkout

Open dakaneye opened this issue 1 year ago • 1 comments

Description

The foundations squad has made a concerted effort to update some of our most used packages to use git-checkout over fetch. Part of what enabled the xz attack is folks reliance on source distributions. We should be biasing towards git-checkout in as many places as we conceivably can to prepare for a world where we want to analyze the upstream source repository for health indications, and aligning around git-checkout makes this significantly more tractable.

Therefore, we would like the normal checks done (both in the public os and enterprise-packages and extra-packages) as part of the wolfictl lint to also make sure that source code is retrieved via git-checkout instead of fetch.

dakaneye avatar Jun 28 '24 15:06 dakaneye

Are we thinking this should not be a required check? It looks like there's ~900 packages in wolfi that still use fetch, any automated package update will fail the new check. So maybe we start with a non required check?

Rough idea of Wolfi packages currently using fetch: https://github.com/search?q=repo%3Awolfi-dev%2Fos+%22uses%3A+fetch%22&type=code

rawlingsj avatar Jul 16 '24 16:07 rawlingsj