motiejus/zig
1
Fork 0
Code Releases Activity

introduce package id and redo hash format again

Browse Source 
Introduces the `id` field to `build.zig.zon`.

Together with name, this represents a globally unique package
identifier. This field should be initialized with a 16-bit random number
when the package is first created, and then *never change*. This allows
Zig to unambiguously detect when one package is an updated version of
another.

When forking a Zig project, this id should be regenerated with a new
random number if the upstream project is still maintained. Otherwise,
the fork is *hostile*, attempting to take control over the original
project's identity.

`0x0000` is invalid because it obviously means a random number wasn't
used.

`0xffff` is reserved to represent "naked" packages.

Tracking issue #14288

Additionally:

* Fix bad path in error messages regarding build.zig.zon file.
* Manifest validates that `name` and `version` field of build.zig.zon
  are maximum 32 bytes.
* Introduce error for root package to not switch to enum literal for
  name.
* Introduce error for root package to omit `id`.
* Update init template to generate `id`
* Update init template to populate `minimum_zig_version`.
* New package hash format changes:
  - name and version limited to 32 bytes via error rather than truncation
  - truncate sha256 to 192 bits rather than 40 bits
  - include the package id

This means that, given only the package hashes for a complete dependency
tree, it is possible to perform version selection and know the final
size on disk, without doing any fetching whatsoever. This prevents
wasted bandwidth since package versions not selected do not need to be
fetched.
This commit is contained in:
Andrew Kelley
2025-02-24 20:24:52 -08:00
parent 9763dd2901
commit d6a88ed74d
8 changed files with 151 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
lib/init/build.zig.zon
View File

@@ -6,12 +6,29 @@
//
// It is redundant to include "zig" in this name because it is already
// within the Zig package namespace.
.name = "$",
.name = .$n,
// This is a [Semantic Version](https://semver.org/).
// In a future version of Zig it will be used for package deduplication.
.version = "0.0.0",
// Together with name, this represents a globally unique package
// identifier. This field should be initialized with a 16-bit random number
// when the package is first created, and then *never change*. This allows
// unambiguous detection when one package is an updated version of another.
//
// When forking a Zig project, this id should be regenerated with a new
// random number if the upstream project is still maintained. Otherwise,
// the fork is *hostile*, attempting to take control over the original
// project's identity. Thus it is recommended to leave the comment on the
// following line intact, so that it shows up in code reviews that modify
// the field.
.id = $i, // Changing this has security and trust implications.
// Tracks the earliest Zig version that the package considers to be a
// supported use case.
.minimum_zig_version = "$v",
// This field is optional.
// This is currently advisory only; Zig does not yet do anything
// with this value.