Specify a metadata format for external release descriptions #436
Conversation
I would suggest using type, so more types (e.g. automaticity import releases from other format) could be added in the future.
It is part of the AppStream specification, but as it is made to be used for other purposes, where Program,s may want to get a changelog, too, I would suggest a extra directory like share/releaseinfo.
Is the
I personally think this is a little bit overengineering. The changelog of a program for software centers is not security critical. Nothing bad happens if a Domain would be hijacked and someone would provide another changelog, this would not do something else than trolling Users. A big problem that I see is that the changelog is not mirrored. Screenshots are mirrored, so we can be sure that they are always available and the Screenshots are always the same file until next compose. But as I read, the purpose of the external release URL is that the changelog can be changed after release without a new version. So this would not be mirrored and and the software centers would access the URL each time someone is viewing the App. This brings a few problems:
And what about the Flathub website. They need to download the file each time someone visits the App page. you can cache i for let's say a day, but the backbend needs to download and parse a file from some random URL. I'm not sure if the devs are a fan of this. Another problem would be the backwards compatibility. First, everyone (including Flatpak) needs to switch to appstreamcli from appstream-glib. I'm not sure how much distros still use appstream-glib. This would also break the experience for Users which use older Distros. If AppStream adds a new feature it is usually a addition like the new |
It's still very much part of the metainfo specification though, which projects should already have. I don't think scattering files across too many places makes sense, tbh...
Yes, it's used a lot actually, there's a bunch of internal uses I know about but publicly fwupd and KDE make heavy use of it. Whether it's used or not, as long as it is a supported part of the specification we need to support it anyway.
It may not just be a changelog though, it may also contain links to the actual program data.
It is. This change only makes modifications to the metainfo spec, not to the catalog spec. That means for aggregated catalog data, a tool reading that data will never see an external changelog, it is always downloaded by the catalog metadata generator and embedded into the catalog data. That also ensures quite a great deal of backwards compatibility.
A warning is emitted and the generator tool will likely fall back to the locally provided data (I could probably add some recommendations for good behavior to the spec, but I don't want to mandate what implementations do for that case - you could also argue that the component should be rejected entirely if the URL vanished).
Not the case, software centers should never hit the original source unless they read the metainfo file directly. In every other case, a tool like appstream-generator will have take care of the task (of course, there's always Arch Linux which doesn't mirror anything, but for them the privacy issue already exists for screenshots and the problem could be trivially mitigated by only reading the locally provided data instead of the remote one. But that's a fringe case, for most people the catalog generator will have been the only thing that downloaded the metadata.)
AFAIK only Fedora and OpenSUSE. But yeah, it will take a while before projects can rely on this feature, same for when we introduced
That would not be the case, the catalog format remains fully compatible. In some odd cases, distros may need to update the generator server-side, but most do that already anyway :-) |
ximion
force-pushed
the
wip/mak/external-releases
branch
from
4665d91 to
3df299d
Compare
|
I like the idea and from KDE point of view I don't see any issue in implementing and we already provide rss feeds with the release information from the appstream data. See for example: curl https://apps.kde.org/neochat/index.xml | xmllint --format -That we will probably need to do is to copy this release feeds to a cdn so that we don't end up with ddos-ing of our poor servers once discover and co will fetch the metadata ;) |
ximion
force-pushed
the
wip/mak/external-releases
branch
from
3df299d to
0980de7
Compare
ximion
force-pushed
the
wip/mak/external-releases
branch
from
0980de7 to
894da43
Compare
|
I am currently working on an implementation of this feature as described. Once merged, I will release AppStream 0.16 early next month, which will be the last series before the 1.0 release, and likely will receive support for quite a while. It will also include code to make the transition to AppStream 1.0 easier. So, any feedback on this feature is highly appreciated! Fortunately, with the more limited scope set for it, it actually is a lot easier to implement and much less disruptive than I originally assumed :-) |
ximion
force-pushed
the
wip/mak/external-releases
branch
5 times, most recently
from
c3391e0 to
4db736d
Compare
|
If there are no more objections or comments on this, I will merge the change this week (in a few days). |
| <title>Local Release Data</title> | ||
| <para> | ||
| Please note that even if release data is external and also provided on a remote location, it also <emphasis>must</emphasis> be | ||
| available locally, installed as a file into <filename>/usr/share/metainfo/releases/%{cid}.releases.xml</filename>. |
There was a problem hiding this comment.
Could there be collisions over /usr/share/metainfo/releases/%{cid}.releases.xml if %{cid} is listed in multiple appstream files? For example, the situation where org.gnome.Builder.desktop is provided in both the flathub and flathub-beta flatpak repos, as two different versions with two different changelogs.
There was a problem hiding this comment.
There shouldn't be any collision, as the local release metadata will always be alongside the MetaInfo file (so e.g. /usr/share/metainfo/releases/org.gnome.Builder.releases.xml and /usr/local/share/metainfo/releases/org.gnome.Builder.releases.xml don't collide).
For catalog data, we currently don't allow remote releases files (but might do that in future - the code would already read those if we decide to add them later), so each source would have its own URL and we wouldn't have any collisions again.
ximion
force-pushed
the
wip/mak/external-releases
branch
from
4db736d to
28877f5
Compare
|
Thank you very much @pwithnall for the review! It's very appreciated :-) Thanks to everyone for the feedback! |
ximion
force-pushed
the
wip/mak/external-releases
branch
from
28877f5 to
f563650
Compare
Hi!
This PR contains the specification for a "new" metadata format that contains release descriptions. Having them split out of the main metainfo file allows them to be updated independently and separately, and even allows us to fetch updated release information automatically at catalog build time.
This PR follows the discussion at #354
Short summary of the changes:
releasestag with the propertyexternal="yes"(note: maybetype="external"is better / more consistent?). This is done so we don't need tostat()around too much and to have the metadata author communicate their intent clearly (good for validation!).releasestag is the root node of their XML./usr/share/metainfo/releases/%{cid}.releases.xml(cidbeing the component ID they belong to).releasestag.artifactpresent in a release file downloaded from a remote source must not be trusted without further verification for now, until release metadata signing is implemented.As you can see, I cut out the signing & verification issue for now, which, given that we only allow HTTPS links for release metadata, is probably also only a real problem in case of domain hijacking. That way we can make progress on this feature and add signing later (I have ideas as for how that may work too, but taking one step at a time feels like the better approach).
Feedback is very welcome before this gets implemented! (Especially from @pwithnall and @Pointedstick :-))