Bug 775110 – create-uninstalled-setup.sh script should use https: instead of git: and --depth=1

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 775110 - create-uninstalled-setup.sh script should use https: instead of git: and --depth=1


Summary:	create-uninstalled-setup.sh script should use https: instead of git: and --de...


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gstreamer (core)
Version:	git master
Hardware:	Other Linux

Importance:	Normal enhancement
Target Milestone:	1.11.1
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-11-25 18:42 UTC by Hanno Böck
Modified:	2016-11-26 11:14 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
proposed patch (510 bytes, patch) 2016-11-25 18:42 UTC, Hanno Böck	reviewed	Details \| Review

Description Hanno Böck 2016-11-25 18:42:15 UTC

Created attachment 340775 [details] [review]
proposed patch

The script at
https://cgit.freedesktop.org/gstreamer/gstreamer/plain/scripts/create-uninstalled-setup.sh
clones modules with the git:// protocol, which is problematic from a security perspective, as it provides no authenticity of data. I suggest to use https instead.

Also I think cloning the full repository history isn't necessary for this use case and makes things unnecessarily slow. Adding --depth=1 causes the cloning of a shallow copy. See attached patch.

Comment 1 Tim-Philipp Müller 2016-11-25 19:39:14 UTC

Comment on attachment 340775 [details] [review]
proposed patch

The change to https makes sense, for the reason you mention but also because it is more likely to work in environments with restrictive firewalls and such.

I'm not really a fan of the --depth=1 though, since that means no tags or remote branches will be downloaded, so this would only make sense if the target was master. I think it's false economy though and just not worth it in the end.

On a side note, gst-build is the new thing for this :)

Comment 2 Hanno Böck 2016-11-25 21:27:57 UTC

Okay, the shallow copy depends on what you use it for. For me it was a simple way of testing the very latest git code, therefore I don't care about history.

Maybe this could be made optional with a parameter? (Or just a way to pass something to the git clone command.) But also not super important.

Comment 3 Tim-Philipp Müller 2016-11-26 11:14:30 UTC

Ok, I've made it into a CLONE_OPTS variable which just has to be uncommented.

commit 950f68c8fe89f09c6ac63a90a230d6000406e759
Author: Hanno Boeck <hanno@hboeck.de>
Date:   Sat Nov 26 11:06:20 2016 +0000

    scripts: create-uninstalled-setup: use https protocol to clone repos
    
    The git:// protocol is problematic from a security perspective, as
    it provides no authenticity of data. https:// also works better in
    environments with restricted network connectivity.
    
    Also add CLONE_OPTS to do shallow checkouts more easily.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=775110


A patch in git format-patch format would be appreaciated next time :)