Page MenuHomePhabricator
Create Task
Maniphest T364208

Replace manageForeignResources.php
Closed, DeclinedPublic
Actions

Description

Per T359634: Adopt Software Bill of Materials (SBOM) for MediaWiki we are replacing the in-house foreign-resources.yaml format with the CycloneDX standard. foreign-resources.yaml was managed via manageForeignResources.php (and the ForeignResourceManager class) which can:

  • validate the foreign-resources.yaml file format
  • download the file(s) or directory or tarball from the given URL, and verify it matches the hashes in the foreign-resources.yaml
  • download the file(s) etc from the given URL, and verify it matches the content in the repository
  • download the file(s) etc and update the ones on disk (after one has updated the version/URL in the foreign-resources.yaml file), potentially filtering which files are stored, and mapping where they are stored, and optionally apply a set of transformations to the files (currently the only supported one is prefixing specified CSS files with /*@nomin*/)
  • download the file(s) etc and print their hashes, so the foreign-resources.yaml file can be updated (in case of upstreams who don't publish hashes for their releases)

ForeignResourceStructureTest does the first three of these (only for MediaWiki core - that's T330508).

All this should be migrated for CycloneDX (which presumably already has tooling for it).

Related Objects
Search...

StatusSubtypeAssignedTask
 Öffnen SieNoneT359634 Adopt Software Bill of Materials (SBOM) for MediaWiki
 DeclinedNoneT364208 Replace manageForeignResources.php

Event Timeline

Tgr created this task.May 4 2024, 9:09 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 4 2024, 9:09 AM
Tgr added a parent task: T359634: Adopt Software Bill of Materials (SBOM) for MediaWiki.May 4 2024, 9:09 AM
Tgr added a comment.EditedMay 4 2024, 9:23 AM

optionally apply a set of transformations to the files (currently the only supported one is prefixing specified CSS files with /*@nomin*/)

Which is actually not used since support for old Vega was removed from Graph, so we can just discard it.

Tgr added a comment.EditedMay 4 2024, 9:33 AM

There's an official library, CycloneDX/cyclonedx-php-library, which is probably best used for parsing and validating the BOM file, but doesn't seem to be capable of doing much else. There is a command-line tool, CycloneDX/cyclonedx-cli (written in C#) which can verify file signatures, but the functionality seems pretty rudamentary (e.g. no directory hashes). At a glance, all the projects in https://cyclonedx.org/tool-center/ are either broken or are focusing on docker containers, not files. So we will probably have to write our own tool.

Tgr updated the task description. (Show Details)May 4 2024, 9:40 AM
Tgr closed this task as Declined.May 4 2024, 3:04 PM

Per T363589#9770861, can't really be replaced by CycloneDX.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits