feat: Drastically increase the operating system support for USB creation script #828
Conversation
|
Older jq versions appear to break in many cases here. Working to resolve it |
Co-authored-by: nyx <[email protected]>
| printf "%b\n" "No arguments needed. The script will prompt for ISO path and USB device." | ||
| exit 1 | ||
| } | ||
| CONFIGURATION_URL="https://github.com/quickemu-project/quickget_configs/releases/download/daily/quickget_data.json" |
There was a problem hiding this comment.
can we not externally link projects that could potentially be dangerous, this is a risk i'm not sure Chris would like to take, maybe we should host this in this repository so it can be monitored.
There was a problem hiding this comment.
Please read the body of my PR. That is quite literally the entire proposal of the PR. The project that is being relied upon here is extremely trustworthy. The Quickemu project was created by Martin Wimpress, who is an extremely trusted member of the community. He's a former Canonical employee and long term lead of Ubuntu MATE. In fact, Chris has used and showcased quickemu's bash scripts & flutter GUI in the past (https://www.youtube.com/watch?v=87MCT3Ekjlo).
The quickget_configs tool, in specific, was created by me. I had several discussions with other contributors to the quickemu project along with the lead, and the idea of creating a tool which generates all the data necessary to create a QEMU virtual machine, including URLs to download image files, in CI was brought up. I worked on it for a bit alongside my re-implementations of the project's 2 main tools, and then relinquished my ownership of the project to Martin's quickemu project. Once again, it's in very safe hands. The project will not be hosted in this repository, for reasons that should already be spelled out well enough.
It's also worth looking at what a potential attack on the project could even affect. Someone would have to insert a mirror providing malicious images into the logic for creating configurations to download one operating system. There should and will be high scrutiny on unrecognized URLs in future contributions to the project, and the reward for the attacker for carrying out such a complicated attack would be miniscule (it would only affect people who chose to download that one specific operating system, nearly exclusively for virtual machines). If we are to be worried about a security risk, a MITM attack (which this change would protect against, due to the checksums being fetched in CI) or a legitimate mirror being compromised are far more likely threats.
Co-authored-by: adamperkowski <[email protected]>
Type of Change
Description
Remove inbuilt logic for finding debian & arch ISO URLs from the USB creation script. Instead, if the user selects the online ISO option, download JSON data containing the necessary information from a project I started and brought into the quickemu project, quickget_configs. This project was created to eventually be used to fully replace functionality in the quickget bash script, similar to that present in this script. Thus, it provides the data necessary to download images of various operating systems. The data is produced daily in CI, where invalid or unresolvable URLs (and their accompanying entries) are thrown out, and other useful information, like SHA256 checksums to verify validity, are included.
jq is used to filter through this JSON data, and ensure that we're only taking entries with 1 ISO file and nothing else. The user is prompted for the Architecture, OS, Release, and Edition (if necessary), and the ISO is downloaded, verified, and unarchived as applicable. This change will additionally reduce the maintenance burden on this script, since the logic to find URLs is contained within a different project.
I also found and removed an unused usage function. I suppose someone forgot to remove that after asking an LLM to write an entire script for them... @guruswarupa
2024-10-14.17-38-07.mp4
Impact
jq is added as a dependency for the script, along with a few archiving tools (xz, bzip2, gzip).
Issues / other PRs related
Checklist