rc/vmz
1
0
Fork 0
Code Issues 33 Pull requests 3 Projects Releases Packages Wiki Activity Actions

make downloads atomic and verify installed assets #35

New issue
Open
opened 2026-05-22 10:43:56 +00:00 by rc · 0 comments
rc commented 2026-05-22 10:43:56 +00:00
Owner
Copy link

Finding:
Download/install is non-atomic and weakly verified.

Problem:

  • cmd_download writes directly to final filenames in the asset directory.
  • A failed second download, unpack failure, or interrupted process can leave a bootable-looking but mismatched asset set.
  • Kernel unpacking does not validate the expected image magic before using offsets.
  • Decompression has no explicit output-size cap.

Impact:

  • Users can end up with partial or inconsistent assets and confusing boot failures later.
  • Corrupt or malicious inputs have more room to waste disk/memory during unpack.

Suggested fix:

  • Download into a temporary directory or temporary filenames.
  • Verify all files before moving them into the final version directory.
  • Use atomic rename for completed asset sets.
  • Validate kernel image magic/format before unpacking.
  • Add a decompressed-size cap.
  • Use checksums/signatures when Alpine publishes suitable metadata.

Related issues:

  • Checksum verification overlaps with #4.
  • Unbounded decompression overlaps with #8.

Relevant code:

  • src/cmd_download.zig: direct writes to final asset paths.
  • src/utils.zig: kernel unpack/decompression.
Finding: Download/install is non-atomic and weakly verified. Problem: - `cmd_download` writes directly to final filenames in the asset directory. - A failed second download, unpack failure, or interrupted process can leave a bootable-looking but mismatched asset set. - Kernel unpacking does not validate the expected image magic before using offsets. - Decompression has no explicit output-size cap. Impact: - Users can end up with partial or inconsistent assets and confusing boot failures later. - Corrupt or malicious inputs have more room to waste disk/memory during unpack. Suggested fix: - Download into a temporary directory or temporary filenames. - Verify all files before moving them into the final version directory. - Use atomic rename for completed asset sets. - Validate kernel image magic/format before unpacking. - Add a decompressed-size cap. - Use checksums/signatures when Alpine publishes suitable metadata. Related issues: - Checksum verification overlaps with #4. - Unbounded decompression overlaps with #8. Relevant code: - `src/cmd_download.zig`: direct writes to final asset paths. - `src/utils.zig`: kernel unpack/decompression.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
codex/verbose-logging
codex-fix-run-without-initrd
codex-package-libvmz
swfit
output
No results found.
Labels
Clear labels   
highprio

   
lowprio
No labels
highprio
lowprio
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rc/vmz#35
No description provided.