[Sources] Ban GitHub-generated archives as sources (#293)

Author: giordano

src/Sources.jl

@@ -17,6 +17,27 @@ Concrete subtypes of `AbstractSource` are:
 """
 abstract type AbstractSource end
 
+function check_github_archive(url::String)
+    # See
+    # * https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/
+    # * https://github.com/bazel-contrib/SIG-rules-authors/issues/11
+    # * https://github.com/spack/spack/issues/35250
+    # Note: according to
+    # <https://github.com/bazel-contrib/SIG-rules-authors/issues/11#issuecomment-1029861300>
+    # the `/archive/refs/tag` should be more stable, but that didn't happen in the incident
+    # on 2023-01-30, so it's unclear whether we can trust them.
+    if contains(url, r"github.com/[^/]+/[^/]+/archive/(refs/tag/)?[^/]+\.(tar\.gz|zip)$")
+        throw(ArgumentError("""
+                            The archive automatically generated by GitHub
+                              $(url)
+                            may not have a stable checksum in the future, thus cannot be used as a reliable source, see
+                            <https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/>.
+                            Use a different source, for example a `GitSource`, or an official release artifact uploaded
+                            by the maintainers of the package (*not* the automatic archive produced by GitHub).
+                            """))
+    end
+end
+
 """
     ArchiveSource(url::String, hash::String; unpack_target::String = "")
 
@@ -32,6 +53,10 @@ struct ArchiveSource <: AbstractSource
     url::String
     hash::String
     unpack_target::String
+    function ArchiveSource(url::String, hash::String, unpack_target::String)
+        check_github_archive(url)
+        return new(url, hash, unpack_target)
+    end
 end
 ArchiveSource(url::String, hash::String; unpack_target::String = "") =
     ArchiveSource(url, hash, unpack_target)
@@ -56,6 +81,10 @@ struct FileSource <: AbstractSource
     url::String
     hash::String
     filename::String
+    function FileSource(url::String, hash::String, filename::String)
+        check_github_archive(url)
+        return new(url, hash, filename)
+    end
 end
 FileSource(url::String, hash::String; filename::String = basename(url)) =
     FileSource(url, hash, filename)

test/sources.jl

@@ -10,6 +10,11 @@ using JSON
     @test GitSource("https://github.com/jedisct1/libsodium.git", "5b2ea7d73d3ffef2fb93b82b9f112f009d54c6e6"; unpack_target = "libs").unpack_target == "libs"
     @test FileSource("https://curl.haxx.se/ca/cacert-2020-01-01.pem", "adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f").filename == "cacert-2020-01-01.pem"
     @test FileSource("https://curl.haxx.se/ca/cacert-2020-01-01.pem", "adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f"; filename="cacert.pem").filename == "cacert.pem"
+    # GitHub-generated archives are banned
+    @test_throws ArgumentError ArchiveSource("https://github.com/ralna/ARCHDefs/archive/v2.0.3x.tar.gz", "6583e27f84338447767bbdf4335514c8836ae4ad54f5e66280307e8b57189cff")
+    @test_throws ArgumentError ArchiveSource("https://github.com/ralna/ARCHDefs/archive/refs/tag/v2.0.3x.tar.gz", "6583e27f84338447767bbdf4335514c8836ae4ad54f5e66280307e8b57189cff")    
+    @test_throws ArgumentError FileSource("https://github.com/ralna/ARCHDefs/archive/v2.0.3x.tar.gz", "6583e27f84338447767bbdf4335514c8836ae4ad54f5e66280307e8b57189cff")
+    @test_throws ArgumentError FileSource("https://github.com/ralna/ARCHDefs/archive/refs/tag/v2.0.3x.tar.gz", "6583e27f84338447767bbdf4335514c8836ae4ad54f5e66280307e8b57189cff")    
 
     @test SetupSource("https://ftp.gnu.org/gnu/wget/wget-1.20.3.tar.gz", "wget-1.20.3.tar.gz", "", "") isa SetupSource{ArchiveSource}
     @test SetupSource("https://ftp.gnu.org/gnu/wget/wget-1.20.3.zip", "wget-1.20.3.zip", "", "")    isa SetupSource{ArchiveSource}
@@ -20,12 +25,12 @@ using JSON
     @testset "Download and setup" begin
         mktempdir() do dir
             cd(dir) do
-                as = ArchiveSource("https://github.com/ralna/ARCHDefs/archive/v2.0.3x.tar.gz", "6583e27f84338447767bbdf4335514c8836ae4ad54f5e66280307e8b57189cff")
+                as = ArchiveSource("https://github.com/JuliaBinaryWrappers/libcellml_jll.jl/releases/download/libcellml-v0.4.0%2B0/libcellml-logs.v0.4.0.x86_64-w64-mingw32-cxx03.tar.gz", "237013b20851355c4c1d22ceac7e73207b44d989d38b6874187d333adfc79c77")
                 # Download the source
                 sas = @test_logs (:info, r"Downloading .* to.*") download_source(as; verbose = true, downloads_dir = dir)
                 # Check that the cache is found
                 @test @test_logs (:info, r"Cached file found in .*") download_source(as; verbose = true, downloads_dir = dir) == sas
-                fs = FileSource("https://github.com/ralna/ARCHDefs/archive/v2.0.3x.tar.gz", "6583e27f84338447767bbdf4335514c8836ae4ad54f5e66280307e8b57189cff"; filename = "file-source.tar.gz")
+                fs = FileSource("https://github.com/JuliaBinaryWrappers/libcellml_jll.jl/releases/download/libcellml-v0.4.0%2B0/libcellml-logs.v0.4.0.x86_64-w64-mingw32-cxx03.tar.gz", "237013b20851355c4c1d22ceac7e73207b44d989d38b6874187d333adfc79c77"; filename = "file-source.tar.gz")
                 # Re-fetch the same tarball, as a `FileSource` this time
                 sfs = @test_logs (:info, r"Cached file found in .*") download_source(fs; verbose = true, downloads_dir = dir)
                 gs = GitSource("https://github.com/ralna/ARCHDefs.git", "fc8c5960c3a6d26970ab245241cfc067fe4ecfdd")
@@ -90,7 +95,7 @@ using JSON
                 @test islink(joinpath(target, "link.patch"))
 
                 # Make sure in srcdir there are all files and directories we expect
-                @test Set(readdir(srcdir)) == Set(["ARCHDefs", "ARCHDefs-2.0.3x", fs.filename, "patches_follow", "patches_nofollow"])
+                @test Set(readdir(srcdir)) == Set(["ARCHDefs", "logs", fs.filename, "patches_follow", "patches_nofollow"])
 
                 # Setup the sources with `setup_workspace`
                 workspace = joinpath(dir, "workspace")