[jira] [Commented] (MBUILDCACHE-86) Bugfix and enhancements with the restoration of outputs on disk

ASF GitHub Bot (Jira) Wed, 24 Apr 2024 01:32:05 -0700


    [ 
https://issues.apache.org/jira/browse/MBUILDCACHE-86?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17840338#comment-17840338
 ]


ASF GitHub Bot commented on MBUILDCACHE-86:
-------------------------------------------

kbuntrock commented on PR #104:
URL: 
https://github.com/apache/maven-build-cache-extension/pull/104#issuecomment-2074391072

   > > some "weird" pom files
   > 
   > oh, this is Maven 4 consumer POMs, that seem to have been generated with 
random file names
   > 
   > @gnodet do we really want these random file names? Do we need to create a 
hack in build cache extension to manage this randomness?
   
   To add a bit of context, I did some experiment yesterday evening. Here are 
some extract of the file `buildinfo.xml` after the execution of the goal 
package in different contexts: 
   
   ### Test "IncrementalRestoreTest", on this branch:
   
   ```xml
   <goals>
     <goal>package</goal>
   </goals>
   <artifact>
     <groupId>org.apache.maven.caching.test</groupId>
     <artifactId>mbuildcache-incremental</artifactId>
     <version>0.0.1-SNAPSHOT</version>
     <type>jar</type>
     <fileName>mbuildcache-incremental.jar</fileName>
     <fileHash>887c667918b9b71d</fileHash>
     <fileSize>3119</fileSize>
     <filePath>target/mbuildcache-incremental-final.jar</filePath>
   </artifact>
   <attachedArtifacts>
     <attachedArtifact>
       <groupId>org.apache.maven.caching.test</groupId>
       <artifactId>mbuildcache-incremental</artifactId>
       <version>0.0.1-SNAPSHOT</version>
       <classifier>consumer</classifier>
       <type>pom</type>
       <fileName>mbuildcache-incremental-consumer.pom</fileName>
       <fileHash>bf52cc397806673a</fileHash>
       <fileSize>430</fileSize>
       <filePath>target/consumer-4676390733155918308.pom</filePath>
     </attachedArtifact>
   </attachedArtifacts>
   ```
   
   ### Test "IncrementalRestoreTest", on the branch master:
   
   ```xml
   <goals>
     <goal>package</goal>
   </goals>
   <artifact>
     <groupId>org.apache.maven.caching.test</groupId>
     <artifactId>mbuildcache-incremental</artifactId>
     <version>0.0.1-SNAPSHOT</version>
     <type>jar</type>
     <fileName>mbuildcache-incremental.jar</fileName>
     <fileHash>41e8d89e0385f771</fileHash>
     <fileSize>3119</fileSize>
   </artifact>
   <attachedArtifacts>
     <attachedArtifact>
       <groupId>org.apache.maven.caching.test</groupId>
       <artifactId>mbuildcache-incremental</artifactId>
       <version>0.0.1-SNAPSHOT</version>
       <classifier>consumer</classifier>
       <type>pom</type>
       <fileName>mbuildcache-incremental-consumer.pom</fileName>
       <fileHash>bf52cc397806673a</fileHash>
       <fileSize>430</fileSize>
     </attachedArtifact>
   </attachedArtifacts>
   ```
   
   
   ### On a standalone project based on "IncrementalRestoreTest", with the 
extension code of this branch:
   
   ```xml
   <goals>
     <goal>package</goal>
   </goals>
   <artifact>
     <groupId>org.apache.maven.caching.test</groupId>
     <artifactId>mbuildcache-incremental</artifactId>
     <version>0.0.1-SNAPSHOT</version>
     <type>jar</type>
     <fileName>mbuildcache-incremental.jar</fileName>
     <fileHash>8d6a9a9795c1f249</fileHash>
     <fileSize>3122</fileSize>
     <filePath>target/mbuildcache-incremental-final.jar</filePath>
   </artifact>
   ```
   
   Meaning that:
   - It might be linked to the IT execution context
   - It is not related to this PR, so I will focus on updating the current 
tests and put this problem aside.




> Bugfix and enhancements with the restoration of outputs on disk
> ---------------------------------------------------------------
>
>                 Key: MBUILDCACHE-86
>                 URL: https://issues.apache.org/jira/browse/MBUILDCACHE-86
>             Project: Maven Build Cache Extension
>          Issue Type: Improvement
>            Reporter: Kevin Buntrock
>            Priority: Major
>              Labels: pull-request-available
>
> *Fixes :*
>  * Files containing an underscore in their name can't be restored in the 
> cache directory correctly (not in the same directory location).
>  * The cache is able to extract/restore files in locations outside the 
> project. I guess the extraction part is not a vulnerability since someone 
> with commit permissions can guess other ways to extract data. But the 
> possibility of restoring at any place on the disk looks pretty dangerous to 
> me if a remote cache server is compromised.
> *Enhancements :*
>  * Possibility to restore artefacts on disk, with a dedicated property : 
> maven.build.cache.restoreOnDiskArtefacts (default to true). Meaning in the 
> project directory, as opposed to the cache directory.
>  ** IDE integration and use of the cache locally in developement is way 
> easier. It is now possible to retrieve a cached jar in the "target" directory.
>  * Introduce "globs" to filter extra attached outputs by filenames.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MBUILDCACHE-86) Bugfix and enhancements with the restoration of outputs on disk

Reply via email to