Verify certain invariants by default when parsing the package

[dralley]

We should probably provide an API which checks the following by default when used

• valid package signature
• internal file digests / signatures match
• certain basic headers are present
• (etc.)

[dralley]

There are some further invariants that would also be good to check, but it's more of a stretch goal. I'm going to paste links here just for future reference.

rpm-software-management/rpm#2025

#115 (comment)

QubesOS/qubes-rpm-oxide#14

"Forbid duplicate tags"

etc.

An open question for me is where to draw the line between warning and refusing to parse the package at all. For instance it would be good to be able to lint packages for things like out-of-order tags, or tags in places where they shouldn't be, but it's not clear that we should refuse to parse them entirely in all cases. After all you can't write a good linter if you can't parse anything.

Maybe "strict" and "loose" parsing options?

[cmeister2]

Perhaps a distinction between parsing and validation - parsing should usually try and do as much as possible, whereas validation should then check the validity of the parsed thing (e.g. `package.validate(schema::strict / schema::loose / schema::whatever)`)

…

On Mon, 22 May 2023, 23:29 Daniel Alley, ***@***.***> wrote: There are some further invariants that would also be good to check, but it's more of a stretch goal. I'm going to paste links here just for future reference. #115 (comment) <#115 (comment)> QubesOS/qubes-rpm-oxide#14 <QubesOS/qubes-rpm-oxide#14> "Forbid duplicate tags" etc. An open question for me is where to draw the line between warning and refusing to parse the package at all. For instance it would be good to be able to lint packages for things like out-of-order tags, or tags in places where they shouldn't be, but it's not clear that we should refuse to parse them entirely in all cases. After all you can't write a good linter if you can't parse anything. Maybe "strict" and "loose" parsing options? — Reply to this email directly, view it on GitHub <#93 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAPA36ONKYEDAMQJDA3DLRLXHPSDTANCNFSM6AAAAAAVQQCWU4> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>