wrap: add imposter URL test
this test shows that meson wrap subsystem historically allows
imposter URLs like https://wrapdb.mesonwrap.com.evil/v1/foo.zip
while the new code does no.
In my opinion, we should not fall back to http:// from the SSL HSTS WrapDB URL,
**for systems that have Python SSL** as that is controverting the point
of HSTS + SSL.
For systems that do not have Python SSL, they continue to work with a
colored mlog.warning instead of only a stderr console print.
attempt to stop masquerade URLS containing wrapdb.mesonbuild.com.evil.stuff.com
507cf47507cf47 broke the combination of clone-recursive without depth.
Because it passed depth (as None) to git.
To fix this the depth option is now generated once as a list when depth is set
and else set to an empty list and unpacked into the argument this when
needed. This reduces duplication and allows code to work the same for
both cases.
Don't manually emulate a partial `git clone` when `depth` option is not
used. This keeps `git describe` working as before and generally supports
workflows that depend on tags and branches to exist in a wrap downloaded
subproject.
This also fixes downloading via git not working at all on CentOS 7
(git version 1.8.3.1).
For the `depth` case use `git clone --branch=... --depth=...` when
possible and only fall back to manual emulation wraps that specify a
full commit id, because for some reason that does not work with the
clone based workflow.
Fixes: #5991 (Regression in wrap support with git)
* If clone-recursive is specified, populate submodules only after
the specified revision/branch has been checked out. Fixes#4996
* Update submodules recursively on `meson subprojects update`
If the directory exists we early return or raise exception in resolve()
method. It was already like that even before the recent refactoring of
the code.
It is safer like that anyway, we don't want a project reconfigure to
silently pull new code. Updating subprojects should be an explicit
action of the user. For example gst-build has a 'git-update' script that
does that. In the future we could add a 'meson subprojects update'
command.
It is sometimes important to be able to build projects offline, in that
case subproject tarballs and patches could be shipped directly within
the project's repository.
- Use CongifParser instead of parsing ourself, this will give more
flexibility in the future.
- Always read the .wrap file first, because if it contains the
'directory' key we should use that value instead of packagename for
the path where do download/lookup for the subproject.
- If we download the subproject (git/submodule/tarball/etc) we should
still check it contains a meson.build file.
Otherwise, git fiddles with the cmd.exe console's color behaviour and
disables it, which causes it to stop interpreting ANSI color codes
outputted by meson for colored output.
Effectively, as soon as any subproject is initialized, cmd.exe goes
nice coloured output to ugly raw ANSI codes.
The '+' and 'U' cases should not happen normally because we don't run
any git commands if the subproject directory exists and contains
a meson build file. However, if the user accidentally messed up the
subproject checkout to a version that had no build files, we would
error out with an assertion.
Using wrap mechanism in enterprise environment,
Some package is very large, example, sdk package from
BSP vendor.
so:
- open file in the output directory with a temporary name
- download a chunk, update hash calculation, write chunk to file
- when finished close file and check the hash
- if hash is incorrect, delete temp file and raise error
- if hash is correct, atomically rename temp file to final file
fix issue: #2358