Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hooks for package caching? #1811

Open
dbr opened this issue Aug 9, 2024 · 4 comments
Open

Hooks for package caching? #1811

dbr opened this issue Aug 9, 2024 · 4 comments

Comments

@dbr
Copy link
Contributor

dbr commented Aug 9, 2024

I would like to, somehow, make the pkg-cache directory read-only - so packages can be added and removed, but their contents not altered by the user

Motivation
For example a Rez package might contain a template file someone might open for reference, but they should not be able to accidentally save over it.

We have a post-release hook which removes write-permissions from released packages. This helps prevent accidental modifications to installed packages.

However if the package package is cached, this gets copied to a writable location, so it's possible to accidentally change something, which can be equally confusing

@dbr dbr added the enhancement label Aug 9, 2024
@jasoncscott
Copy link
Contributor

What OS are you on? Rez uses shutil.copytree(), which is supposed to copy permissions (via copystat: https://docs.python.org/3/library/shutil.html#shutil.copystat)

@dbr
Copy link
Contributor Author

dbr commented Aug 9, 2024

Oh, good point - I forgot to mention this is on Windows, using ACL, so things aren't so simple :hurtrealbad:

Specifically the release hook runs something like icacls.exe $folder /deny DOMAIN\group:(OI)(CI)(W,D,DC,WD) on each variant at release time

@cfxegbert
Copy link
Contributor

cfxegbert commented Aug 12, 2024

shutils.copytree() is very basic on how it copies files and just handles Posix permissions and symbolic links. It does not handle things like extended attributes (only supported on Linux), ACLs, and dual fork files. In an MacOS environment extended attributes become important when you start dealing with code signing on shared storage. In a Windows environment ACLs are needed for basic file permissions.

Since packages are copied as the user currently running the rez command you can end up with interesting permissions problems on a shared machine (multiple shifts, renderfarm, ...)

If some sort of hooks are added to package copying we would also most likely need hooks for when a package is cleaned from the local cache.

@instinct-vfx
Copy link
Contributor

Just to put this out there without having really thought it through. I was wondering in the past if the actual copying should be pluggable like VCSs. That would also open up rather easy ways to implement things like zipped payloads nor non-filesystem sources maybe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants