adguardhome: Bump to 0.107.55

[Ra2-IFV]

Bump version to 0.107.54, change log in links below.

Use source from upstream tag tarballs instead of Git repo. Move working directory from /var/adguardhome to
/var/lib/adguardhome, according to Linux FHS.
Add option to store PID file, defaulting to /run/adguardhome.pid.

Link: https://github.com/AdguardTeam/AdGuardHome/milestone/89?closed=1

Maintainer: @dobo90 @1715173329

Compile tested: working on it
Run tested: not yet
Description:

[Ra2-IFV]

          Please dont do this. We can not download tarball named like this.

Originally posted by @BKPepe in #25450 (comment)

[1715173329]

No, please check how other packages have done for this.

[Ra2-IFV]

It feels so nasty when we have a tarball for this but you just cant use it because of download.pl
And it's even worse when the git script is doing a full clone from the repository, it's almost 3x larger than the tarball from tags

[BKPepe]

Does the size matter on the computer, which you are using for the buildsystem to evenutally to cross-compile packages for your devices? :-) I did not verify the size so far of your proposed solution, which says use upstream tag tarballs without the reason, why instead of the Git repo.

However, using Git sources is not preferred at least from my point of view. Its a big security risk, because if someone tinkers with the tarball, checksum is not verified anyhow. See: https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html

In your case, you might want to use codeload, though. If we are talking about using codeload or your proposed solution, dont forget, that the tarball is created by GitHub itself, which means that there isnt checksum to verify (see checksums.txt file) in their release. Sometimes autogenerated tarballs are missing some things, which are required to have to build the package and the tarball from GitHub can be changed anyhow and then the checksum is not valid (I havent experienced this case, yet, but others said yes...)

So, I dont find anything wrong to keep using Git sources, i still dont know the reason, why you did it. 🤷

We are not living in the ideal world.

[vincejv]

Please do not repeat the same mistakes with libxz issue

And it's even worse when the git script is doing a full clone from the repository, it's almost 3x larger than the tarball from tags

also, why is the git script not doing shallow clones? does it pull the entire commit history?

[Ra2-IFV]

@vincejv May I ask what are you talking about, the xz backdoor incident? I can't understand why you are mentioning that here
And yes, in my case the script is doing a full clone.

Cloning into 'adguardhome-0.107.54'...
remote: Enumerating objects: 38166, done.
remote: Counting objects: 100% (76/76), done.
remote: Compressing objects: 100% (49/49), done.
Receiving objects:   1% (514/38166), 204.00 KiB | 15.00 KiB/s

[Ra2-IFV]

@BKPepe because the script is doing a full clone, and for some reason my git keeps failing if trying to clone a very large repository, so I want to use tarballs instead.
Please forgive me for being so dumb, I still can't understand this... Even though the tarball is generated by Github, it's from a git tag, and in most cases it shouldn't change
We also have PKG_HASH to check malicious tarballs in case someone tries to do something nasty

[Ra2-IFV]

@Ra2-IFV exactly what you are trying to do, getting the code from the tarballs instead of the repository and the tarball contained tainted and malicious backdoor code, which was NOT present at all in the repository, no one was able to check as reviewing source code from tarballs is not part of the code review process.

so the attacker uploaded a tarball by himself, and it's different from the repository?

it was assumed the tarball = reviewed source code, but it was not, the maintainer injected code and blobs before signing and uploading the tarballs

See: https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html\

But from the wikipedia and other sources, Jia Tan gained trust from other developers and seems the malicious codes are already in the repository, he just signed off a new release..

Jia Tan gained the position of co-maintainer of XZ Utils and was able to sign off on version 5.6.0, which introduced the backdoor,

[1715173329]

Well let's back to the topic. I believe @BKPepe was talking about the filename at first.
Your PR will create a unidentifiable tarball with just some random numbers and it could lead potential conflict issue.

So again, please check other packages for example.

[Ra2-IFV]

Yes! I noticed that!
And the solution is PKG_SOURCE_URL:=https://codeload.github.com/vim/vim/tar.gz/v$(PKG_VERSION)?
Just copy pasted and replaced from xray package, so again thank you so much my dear teacher 😢

[Ra2-IFV]

Uh sorry, that's for another pull request but almost the same.

[Ra2-IFV]

Should I change initrc files in a seprate commit?

[1715173329]

Should I change initrc files in a seprate commit?

Yes

[gl-dude]

Has this PR or #25639 been confirmed to fix #25600?

Even though the AdGuard Home package hasn't been changed in months, it recently started to be compiled without the assets for the admin panel embedded into the executable.

[Ra2-IFV]

don't know, this looks like to be an issue from upstream

…

On January 3, 2025 2:13:52 AM UTC, gl-dude ***@***.***> wrote: Has this PR or #25639 been confirmed to fix #25600? Even though the AdGuard Home package hasn't been changed in months, it recently started to be compiled without the assets for the admin panel embedded into the executable. -- Reply to this email directly or view it on GitHub: #25521 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>