Skip to content

treewide: silent download, unpack and others #1630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

treewide: silent download, unpack and others #1630

wants to merge 1 commit into from

Conversation

@Cynerd
Copy link
Contributor

@Cynerd Cynerd commented Mar 6, 2023

This introduces changes from NuttX commit
03b164f.

The only left out is 'Register:' as that provides pretty handly list of applications in the firmware.

The download is unified to handle it always the same way.

Follow up on #1588 (comment).

xiaoxiang781216
xiaoxiang781216 reviewed Mar 6, 2023
View reviewed changes
@Cynerd Cynerd mentioned this pull request Mar 7, 2023
Merged
@Cynerd
treewide: silent download, unpack and others
0296288 
This introduces changes from NuttX commits:
 03b164f
 7fef3e48e6092a59e58b541ef62bdd5f2f600b61

The only left out is 'Register:' as that provides pretty handly list of
applications in the firmware.

The download is unified to handle it always the same way.
@Cynerd
Copy link
Contributor Author

Cynerd commented Mar 8, 2023

Please, wait with merge. There seems to be issues with downloading wamr. I have to look into it.

@acassis
Copy link
Contributor

acassis commented Mar 17, 2023

@Cynerd please let me know: does this PR hides the Downloading and Patching lines? I think it is important to users know that the files are downloaded during the building phase.

@ghost
Copy link

ghost commented Mar 19, 2024

I agree. it is critical to know that a build cannot be completed while staying offline.

@hartmannathan
Copy link
Contributor

I agree. it is critical to know that a build cannot be completed while staying offline.

@Cynerd please let me know: does this PR hides the Downloading and Patching lines? I think it is important to users know that the files are downloaded during the building phase.

I agree also. It is definitely critical to know that things are being downloaded.

Wherever we are doing a download, we should also allow a custom URL in Kconfig, so that developers who want to locally host the dependencies will be able to do so.

@hartmannathan
Copy link
Contributor

Please, wait with merge. There seems to be issues with downloading wamr. I have to look into it.

You can mark the PR as Draft until ready for review. That will prevent someone merging by mistake...

@acassis
Copy link
Contributor

acassis commented May 31, 2024

Hi @Cynerd maybe a better approach is just show: Downloading: filename-x.y.z and when it finishes download: done.

What do you think?

@xiaoxiang781216
Copy link
Contributor

@Cynerd could you fix the conflict?

@Cynerd
Copy link
Contributor Author

Cynerd commented Jun 9, 2024

I will look at this next week. This is pretty old and was created only to keep it consistent in my eyes with the rest of the changes introduced at that time. I think that it still makes sense in terms of echoing that the download is happening but not in the way of reporting its progress.

In the meantime, we also modified the build process of our own projects in a way that nothing is being downloaded, and thus, I had less incentive to deal with this.

@acassis
Copy link
Contributor

acassis commented Jun 9, 2024

I will look at this next week. This is pretty old and was created only to keep it consistent in my eyes with the rest of the changes introduced at that time. I think that it still makes sense in terms of echoing that the download is happening but not in the way of reporting its progress.

In the meantime, we also modified the build process of our own projects in a way that nothing is being downloaded, and thus, I had less incentive to deal with this.

Agree! All user friendly improvements are welcome!

@cederom
Copy link
Contributor

cederom commented Nov 2, 2024

ping :-)

@Cynerd
Copy link
Contributor Author

Cynerd commented Nov 26, 2024

I am kind of busy with other work, and I am failing to get some free time to finish this maintenance work. If anyone has free time on its hands, feel free to finish it. I just can't promise to look at it in a few weeks' time (I have been postponing it already for half a year, and the target now diverged so much that it must be started almost from scratch).

@cederom
Copy link
Contributor

cederom commented Jan 30, 2025

ping :-)

@linguini1
Copy link
Contributor

@Cynerd any plans to continue with this PR? Otherwise I think we should close it.

@hartmannathan
Copy link
Contributor

@Cynerd any plans to continue with this PR? Otherwise I think we should close it.

@linguini1 @cederom @acassis @xiaoxiang781216

IMHO we should never silently download external packages!

Why:

  1. Security reasons: some developers need to ensure only known bits are used in the build.

  2. Offline / airgapped build environments: some developers will need to manually obtain external packages.

  3. Customization: some developers will want to customize the external packages, use alternative versions or branches, or supply their own substitute.

In fact I think in Kconfig we should have a global permission switch, similar to "allow GPL" / "allow BSD", called "Allow downloads" (CONFIG_ALLOW_DOWNLOADS). All invocations of curl, wget, git, or other remote download commands should be gated behind this switch to avoid the unwanted accidental download.

@linguini1
Copy link
Contributor

Makes sense to me!

@xiaoxiang781216
Copy link
Contributor

@Cynerd any plans to continue with this PR? Otherwise I think we should close it.

@linguini1 @cederom @acassis @xiaoxiang781216

IMHO we should never silently download external packages!

Why:

1. Security reasons: some developers need to ensure only known bits are used in the build.

2. Offline / airgapped build environments: some developers will need to manually obtain external packages.

3. Customization: some developers will want to customize the external packages, use alternative versions or branches, or supply their own substitute.

In fact I think in Kconfig we should have a global permission switch, similar to "allow GPL" / "allow BSD", called "Allow downloads" (CONFIG_ALLOW_DOWNLOADS). All invocations of curl, wget, git, or other remote download commands should be gated behind this switch to avoid the unwanted accidental download.
we already have all these in Kconfig:
https://github.com/apache/nuttx/blob/master/Kconfig#L28-L100
And all 3rd party library isn't enabled by default.
If some package is downloaded from the network, it must be enabled with the license by user explicitly, so it's fine to skip the log without -v.

@cederom
Copy link
Contributor

cederom commented Oct 27, 2025
edited
Loading

@hartmannathan: @linguini1 @cederom @acassis @xiaoxiang781216

IMHO we should never silently download external packages!

Why:

1. Security reasons: some developers need to ensure only known bits are used in the build.

2. Offline / airgapped build environments: some developers will need to manually obtain external packages.

3. Customization: some developers will want to customize the external packages, use alternative versions or branches, or supply their own substitute.

In fact I think in Kconfig we should have a global permission switch, similar to "allow GPL" / "allow BSD", called "Allow downloads" (CONFIG_ALLOW_DOWNLOADS). All invocations of curl, wget, git, or other remote download commands should be gated behind this switch to avoid the unwanted accidental download.

Full agree here thanks @hartmannathan ! Just like in FreeBSD Ports :-) Security + customization + testing -> to get selected packages before the build phase! :-)

++ as @xiaoxiang781216 noticed packages must match selected licensing model :-)

@Cynerd
Copy link
Contributor Author

Cynerd commented Oct 27, 2025

The point of this was not to hide the info about the downloaded package. That is just not what this does. It instead replaces the download progress with a message that is part of the existing NuttX reporting functionality that was introduced in the NuttX build system. You are still informed that the download is happening, but standard NuttX build progress reporting is not broken by the download progress.

Honestly, I would prefer that nothing be downloaded in the build phase, but that would require probably an additional phase to be added in NuttX itself (if that wasn't done in the meantime).

I haven't invested any time in this the past year, so I would just close this. As I already once stated, it is treewide, and because every package manages downloads in its own separate way, it is a lot of work to do this switch. I should have probably only added defines and done the change step by step. In the meantime, I saw that NuttX now has DOWNLOAD defined, so hopefully packages will migrate on their own, and thus this PR introduces absolutely nothing new.

@Cynerd Cynerd closed this Oct 27, 2025
@cederom
Copy link
Contributor

cederom commented Oct 27, 2025

Thank you @Cynerd ! Yup it would be best to have list of all stuff to be downloaded (aka "fetch phase") before the "buid phase".. we need to add something like this in a global design manner :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Cynerd @acassis @hartmannathan @xiaoxiang781216 @cederom @linguini1