3
26
Fork
You've already forked mere
1

Re-verify cached archive hash before trusting it on restore #106

Merged
jhuntwork merged 1 commit from build-cache-archive-restore-verify into main 2026年07月10日 15:52:26 +02:00

restorePackageArchiveForKey copied a cached package archive out of the
build cache and returned its recorded archive_hash/signature verbatim,
with no check that those still matched the file's actual bytes. This
was asymmetric with storePackageArchiveForKey, which does verify before
caching. If the cached archive bit-rotted or was otherwise overwritten
on disk, a stale/wrong hash+signature pair would be handed back as if
it described the restored bytes.

Fix by re-hashing the copied archive and comparing against the recorded
archive_hash before returning it. On mismatch, treat the entry as a
cache miss (matching the self-healing convention used elsewhere in this
cache) so the caller rebuilds the package fresh instead of trusting
metadata that doesn't match the restored file.

Add a regression test that stores a real archive, corrupts the cached
copy on disk to simulate bit rot, and confirms restorePackageArchiveForKey
now returns null instead of a mismatched hash/signature pair. Verified
the test fails without the fix (a non-null result is returned and
leaked, since nothing frees a hit the caller wasn't expecting).

restorePackageArchiveForKey copied a cached package archive out of the build cache and returned its recorded archive_hash/signature verbatim, with no check that those still matched the file's actual bytes. This was asymmetric with storePackageArchiveForKey, which does verify before caching. If the cached archive bit-rotted or was otherwise overwritten on disk, a stale/wrong hash+signature pair would be handed back as if it described the restored bytes. Fix by re-hashing the copied archive and comparing against the recorded archive_hash before returning it. On mismatch, treat the entry as a cache miss (matching the self-healing convention used elsewhere in this cache) so the caller rebuilds the package fresh instead of trusting metadata that doesn't match the restored file. Add a regression test that stores a real archive, corrupts the cached copy on disk to simulate bit rot, and confirms restorePackageArchiveForKey now returns null instead of a mismatched hash/signature pair. Verified the test fails without the fix (a non-null result is returned and leaked, since nothing frees a hit the caller wasn't expecting).
Re-verify cached archive hash before trusting it on restore
All checks were successful
/ test (pull_request) Successful in 6m49s
eef3869fc8
restorePackageArchiveForKey copied a cached package archive out of the
build cache and returned its recorded archive_hash/signature verbatim,
with no check that those still matched the file's actual bytes. This
was asymmetric with storePackageArchiveForKey, which does verify before
caching. If the cached archive bit-rotted or was otherwise overwritten
on disk, a stale/wrong hash+signature pair would be handed back as if
it described the restored bytes.
Fix by re-hashing the copied archive and comparing against the recorded
archive_hash before returning it. On mismatch, treat the entry as a
cache miss (matching the self-healing convention used elsewhere in this
cache) so the caller rebuilds the package fresh instead of trusting
metadata that doesn't match the restored file.
Add a regression test that stores a real archive, corrupts the cached
copy on disk to simulate bit rot, and confirms restorePackageArchiveForKey
now returns null instead of a mismatched hash/signature pair. Verified
the test fails without the fix (a non-null result is returned and
leaked, since nothing frees a hit the caller wasn't expecting).
jhuntwork deleted branch build-cache-archive-restore-verify 2026年07月10日 15:52:27 +02:00
Sign in to join this conversation.
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
merelinux/mere!106
Reference in a new issue
merelinux/mere
No description provided.
Delete branch "build-cache-archive-restore-verify"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?