cmd: validate: add --strict mode#211
Merged
vbatts merged 7 commits intovbatts:mainfrom Jan 9, 2026
Merged
Conversation
Contributor
Author
|
@vbatts I think this includes all of the key bits that would be nice to have for a 0.6.1 (or 0.7). I didn't add anything extra to |
Contributor
Author
|
Hmmm, It's failing because the timestamps are different for some reason...? |
Contributor
Author
|
Oh, this is also broken in |
4dd69ba to
722413f
Compare
cyphar
added a commit
to cyphar/go-mtree
that referenced
this pull request
Sep 28, 2025
Aleksa Sarai (7): cmd: validate: add --strict mode compare: move FreeBSD loose keyword comparisons to gomtree command cmd: validate: restructure filtering to use filter functions cmd: validate: remove dead "current keyword" code compare: modernise DirectoryHierarchy compare impl compare: modernise compareEntry compare: export official way to modify InodeDelta.Diff LGTMs: cyphar
At the moment, filtering out keyword changes from an InodeDelta after doing Compare is a little complicated and error-prone. The simplest solution is to allow for callers to access a pointer to the underlying slice so it can be modified properly. The filtering logic in the gomtree command-line implicitly depends on the behaviour of InodeDelta.Diff -- DiffPtr would be a far more appropriate replacement. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The previous logic was overly complicated and can be simplified a lot (especially now that we have helpful generic stdlib packages for dealing with maps). There are still several bugs in this, but the intention of this patch is to just modernise the code without making any functional changes. Bugfixes will come later. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This is fairly similar to the compareEntry modernisation, but there was no need to use maps.Insert or maps.Collect since we want to pre-allocate the map sizes anyway. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This lets us modernise the filtering logic a little bit, and also allows us to configure which filters we wish to apply (a future patch will move some of the filtering done in the top-level go-mtree package to the cmd/validate package). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
FreeBSD has quite unfortunate behaviour when dealing with keywords that are missing in one of the manifests being compared -- namely, they ignore these instances. Commit 21723a3 ("*: fix comparison of missing keywords") re-added this behaviour after the introduction of the Compare API, but unfortunately it was implemented in the Compare API itself -- meaning that library users (which didn't want this behaviour) were silently opted into it. This patch moves the behaviour to the command-line, where it belongs (a future patch in this series will allow users to opt-out of this unfortunate behaviour, as well as some other unfortunate FreeBSD compatibility behaviours). Fixes: 21723a3 ("*: fix comparison of missing keywords") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Due to FreeBSD compatibility, we have so far been forced into some unfortunate behaviour with regards to which comparison errors we actually return an error code for. FreeBSD generally does not return errors if a file or keyword only exists in one of the manifests being compared. Some users do not care about FreeBSD compatibility and just want to get errors if there is any difference between a manifest and directory tree. Commit 9cdd915 ("cmd: gomtree: re-enable errors when there is a Modified entry") added a TODO to implement this, but I've only just got around to implementing it. This patch adds a new --strict flag to "gomtree validate", which causes it to error out if any changes were detected and also disables the FreeBSD compatibility keyword delta filters. This is more akin to what modern users would expect from a manifest validation tool. Fixes: 21723a3 ("*: fix comparison of missing keywords") Fixes: 9cdd915 ("cmd: gomtree: re-enable errors when there is a Modified entry") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
Hi, is this active? It'd simplify keeping umoci builds up to date if it could move off its fork, which apparently depends on this. (I am looking into building an umoci with an updated golang.org/x/crypto to fix a CVE) |
Contributor
Author
|
@mikemccracken Yes, I'm just waiting for @vbatts to have the time to review this (as well as #214). |
cyphar
added a commit
to cyphar/go-mtree
that referenced
this pull request
Dec 20, 2025
Aleksa Sarai (7): cmd: validate: add --strict mode compare: move FreeBSD loose keyword comparisons to gomtree command cmd: validate: restructure filtering to use filter functions cmd: validate: remove dead "current keyword" code compare: modernise DirectoryHierarchy compare impl compare: modernise compareEntry compare: export official way to modify InodeDelta.Diff LGTMs: cyphar
Owner
|
Ohman sorry! I got to one of the PR's and thought the others were draft
or needing to be rebased.
Is everything ready for review?
|
Contributor
Author
|
Yes, everything should be ready for review. FWIW I've been shipping these patches in umoci for a few months now. |
Owner
|
LGTM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Due to FreeBSD compatibility, we have so far been forced into some
unfortunate behaviour with regards to which comparison errors we
actually return an error code for. FreeBSD generally does not return
errors if a file or keyword only exists in one of the manifests being
compared.
Some users do not care about FreeBSD compatibility and just want to get
errors if there is any difference between a manifest and directory tree.
Commit 9cdd915 ("cmd: gomtree: re-enable errors when there is a
Modified entry") added a TODO to implement this, but I've only just got
around to implementing it.
This patch adds a new --strict flag to "gomtree validate", which causes
it to error out if any changes were detected and also disables the
FreeBSD compatibility keyword delta filters. This is more akin to what
modern users would expect from a manifest validation tool.
This patch resolves the remaining issues in opencontainers/umoci#620.
Closes #210
Fixes: 21723a3 ("*: fix comparison of missing keywords")
Fixes: 9cdd915 ("cmd: gomtree: re-enable errors when there is a Modified entry")
Signed-off-by: Aleksa Sarai cyphar@cyphar.com