Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/changes
History
Dan Tsekhanskiy aff440236e
Add cache option for software packages to skip re-downloading unchanged content (#42216) 
**Related issue:** 
Ref #34797
Ref #42675 

## Problem

When a software installer spec has no `hash_sha256`, Fleet re-downloads
the package, re-extracts metadata, and re-upserts the DB on every GitOps
run, even if the upstream file hasn't changed. For deployments with 50+
URL-only packages across multiple teams, this wastes bandwidth and
processing time on every run.

## Solution

By default, use etags to avoid unnecessary downloads:

1. First run: Fleet downloads the package normally and stores the
server's ETag header
2. Subsequent runs: Fleet sends a conditional GET with `If-None-Match`.
If the server returns 304 Not Modified, Fleet skips the download,
metadata extraction, S3 upload, and DB upsert entirely

Opt-out with `always_download:true`, meaning packages continue to be
downloaded and re-processed on every run, same as today. No UI changes
needed.

```yaml
url: https://nvidia.gpcloudservice.com/global-protect/getmsi.esp?version=64&platform=windows
always_download: true
install_script:
  path: install.ps1
```

### Why conditional GET instead of HEAD

Fleet team [analysis of 276 maintained
apps](https://github.com/fleetdm/fleet/pull/42216#issuecomment-4105430061)
showed 7 apps where HEAD requests fail (405, 403, timeout) but GET works
for all. Conditional GET eliminates that failure class: if the server
doesn't support conditional requests, it returns 200 with the full body,
same as today.

### Why opt-in

5 of 276 apps (1.8%) have stale ETags (content changes but ETag stays
the same), caused by CDN caching artifacts (CloudFront, Cloudflare,
nginx inode-based ETags). The `cache` key lets users opt in per package
for URLs where they've verified ETag behavior is correct.

Validation rejects `always_download: true` when hash_sha256` is set

## Changes

- New YAML field: `cache` (bool, package-level)
- New migration: `http_etag` VARCHAR(512) column (explicit
`utf8mb4_unicode_ci` collation) + composite index `(global_or_team_id,
url(255))` on `software_installers`
- New datastore method: `GetInstallerByTeamAndURL`
- `downloadURLFn` accepts optional `If-None-Match` header, returns 304
as `(resp, nil, nil)` with `http.NoBody`
- ETag validated per RFC 7232 (ASCII printable only, no control chars,
max 512 bytes) at both write and read time
- Cache skipped for `.ipa` packages (multi-platform extraInstallers)
- TempFileReader and HTTP response leak prevention on download retry
- Docs updated in `yaml-files.md`

## What doesn't change

- Packages with `hash_sha256`: existing hash-based skip, untouched
- FMA packages: FMA version cache, untouched
- Packages with `always_download: true`: identical to current behavior
- Fleet UI: no changes

## Test plan

Automated testing:
- [x] 16 unit tests for `validETag`
- [x] 8 unit tests for conditional GET behavior (304, 200, 403, 500,
weak ETag, S3 multipart, no ETag)
- [x] MySQL integration test for `GetInstallerByTeamAndURL`
- [x] All 23 existing `TestSoftwareInstallers` datastore tests pass
- [x] All existing service tests pass

Manual testing:
- [x] E2E: 86 packages across 6 CDN patterns, second apply shows 51
conditional hits (304)
- [x] @sgress454 used a local fileserver tool to test w/ a new instance
and dummy packages


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* ETag-based conditional downloads to skip unchanged remote installer
files.
  * New always_download flag to force full re-downloads.

* **Tests**
* Added integration and unit tests covering conditional GETs, ETag
validation, retries, edge cases, and payload behavior.

* **Chores**
* Persist HTTP ETag and related metadata; DB migration and index to
speed installer lookups.
* Added installer lookup by team+URL to support conditional download
flow.

* **Bug Fix**
* Rejects using always_download together with an explicit SHA256 in
uploads.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Scott Gress <scott@fleetdm.com>
Co-authored-by: Scott Gress <scott@pigandcow.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2026-04-14 13:01:33 -05:00
..
.keep Issue 1009 calculate diff software (#1305) 2021-07-08 13:57:43 -03:00
14827-prevent-TOCTOU-last-admin Fix TOCTOU race in last global admin protection (#42172) 2026-04-01 15:00:08 -03:00
29657-custom-settings-configuration-profiles Rename custom settings to configuration profiles (#41250) 2026-03-25 10:07:53 +01:00
31289-acme-for-mdm-protocol ACME MDM -> main (#42926) 2026-04-02 15:56:31 -05:00
32126-macos-fleetd-reinstall Fix fleetd in-band upgrade on macOS hosts (#42187) 2026-03-27 09:04:14 -03:00
32662-include-correct-cpe Generate correct CPE from malformed ipswitch whatsup CPE, ensure matches relevant CVEs (#41704) 2026-03-16 16:17:47 -05:00
32773-preview-windows-mdm Fix: Missing guide: How to try Windows MDM (fleetctl preview) (#42451) 2026-03-27 12:15:35 -03:00
33106-fix-generate-gitops-vpp Fix fleetctl generate-gitops failing to include VPP fleet assignments (#42429) 2026-03-26 19:06:51 -05:00
33418-windows-mdm-profile-deletion SyncML <Delete> Windows profiles (#42206) 2026-03-26 18:25:54 -05:00
34288-setup-experience-cancel-activity Clean up setup experience cancellation behavior (#43437) 2026-04-14 09:39:26 -05:00
34433-speedup-macos-profile-delivery speed up macOS profile delivery for initial enrollments (#41960) 2026-03-19 14:58:10 -05:00
34667-scim-user-host-emails-association Fix SCIM user association with host when IdP user is set before being provisioned (#42889) 2026-04-02 13:35:07 -03:00
34950-nano-tables-cleanup #34950 Cleanup nano refetch commands in the background (#42472) 2026-04-02 06:16:55 -04:00
35067-windows-pro-missing-vulnerabilities Fixed bug where Windows hosts would get 0 CVEs. (#42021) 2026-03-19 22:01:59 -05:00
35467-detail-query-config-preload Reduced redundant database calls in the osquery distributed query results hot path (#42157) 2026-03-23 10:31:12 -05:00
35484-improve-policy_membership-contention Improve contention around policy_membership table (35484) (#40853) 2026-03-16 15:12:25 -04:00
36312-trim-spaces-from-fleets-names Trim spaces on Fleet's names (36312) 2026-03-18 12:20:23 -04:00
36643-fix-back-button-policies-reports Fix: Policies page: Browser back button doesn't work as expected (#43082) 2026-04-07 09:51:35 -03:00
36751-add-fmas-to-policy-automation Implement FMA software policy automation (#42533) 2026-03-30 11:25:46 -05:00
36799-macos-disk-space-purgeable Add disk_space fleetd table for accurate macOS disk space reporting (#41575) 2026-03-17 12:59:17 -03:00
37323-jetbrains-cve Updated ingestion/CVE logic to support Jetbrains software with 2 version numbers (#42003) 2026-03-19 11:14:14 -05:00
37546-android-certificate-install-activity Added automatic Android cert retry (#42734) 2026-04-01 13:49:24 -05:00
37556-resend-android-certs Resend android cert to host - frontend, update profile API (#42297) 2026-03-26 13:06:29 -07:00
38002-throttle-ca-certificate-profiles Throttle CA access through MDM (#42114) 2026-03-23 09:04:55 -05:00
38036-gitops-ca-delete-order Fixed GitOps failing to delete a certificate authority (#41693) 2026-03-16 15:51:28 -05:00
38041-entra-windows-conditional-access Windows conditional access: Ingest device_id from Windows devices (#41822) 2026-03-17 12:33:39 -03:00
38647-remove-duplicate-disk-encryption-activity remove unused disk encryption type (#42974) 2026-04-08 17:05:25 -05:00
38785-windows-setup-experience-cancel Add require_all_software_windows config option (#43011) 2026-04-06 17:39:59 -05:00
38793-python-scripts Add Python script support for macOS and Linux (#38562) 2026-03-24 10:01:54 -04:00
38929-reports-tab Fleet UI: Hide host details reports when not supported (#42746) 2026-04-02 16:42:51 -04:00
38988-fma-pin-major-version Pin FMA major version in GitOps (#43053) 2026-04-06 12:36:47 -04:00
39066-vpp-timeout-install-details Improve VPP errors for large install failures (#41997) 2026-03-20 15:37:42 -04:00
39082-setup-logo-light-background Save logo URL for dark and light backgrounds during setup (#41823) 2026-03-17 12:35:36 -03:00
39190-display-sw-version-filter Return light software metadata when listing hosts filtered by software present only on a different team (#42519) 2026-03-30 21:33:21 -07:00
39308-team-ca-read-access Fixed team maintainers, admins, and GitOps users being unable to add certificate templates (#41740) 2026-03-16 12:24:31 -05:00
39316-winoffice-vulnerability-detection Add Windows Office vulnerability detection runtime (3/3) (#42872) 2026-04-03 09:44:55 -06:00
39570-clear-passcode Implement clear passcode backend (#43072) 2026-04-07 15:23:59 -05:00
39842-generate-gitops-bug Use list FMA endpoint in generate-gitops to match FMAs by ID (#42483) 2026-03-26 15:52:28 -04:00
39899-deterministic-cpe-matching Fixed nondeterministic CPE matching when multiple CPE candidates share the same product name (#41649) 2026-03-17 07:22:23 -05:00
39968-sso-validity-increase-default Update SSO session validity from 5 to 15 min by default (#41456) 2026-03-20 10:56:54 +01:00
40015-activate-deprecation-warnings Activate deprecation warnings (#41449) 2026-04-06 09:59:32 -05:00
40050-server-core-msrc-differentiation Differentiate between Windows Server Core and full desktop installations (#42034) 2026-03-21 10:03:57 -05:00
40057-osv-vulns Use OSV for ubuntu vulnerability scanning (#42063) 2026-04-03 15:59:32 -05:00
40117-fix-sql-table-alias-platform-detection The fix skips nodes where type === "column_ref", since those aren't table references (#42821) 2026-04-01 14:22:10 -05:00
40137-update-default-fleet Update default fleet selected on dashboard and controls (#42688) 2026-03-31 09:11:51 -05:00
40177-config-profile-name-status Show configuration profile name and more fine-grained status (#42126) 2026-04-09 12:46:11 -05:00
40581-os-versions-vuln-details Fix OS versions not populated in vulnerability details (#42759) 2026-04-01 17:09:20 -06:00
40702-simplif-os-modal simplify OS modal (#43252) 2026-04-09 16:30:15 -05:00
40715-allow-whitespace-end-users-form Allow typing whitespaces on Settings > Integrations > SSO > End users form (#41817) 2026-03-17 12:35:25 -03:00
40751-google-drive-brew-version Update how google drive fma version is created (#42270) 2026-03-27 16:54:22 -04:00
40785-fix-gitops-vpp-token-assignment Defer all VPP apps when there are missing teams (#42862) 2026-04-02 15:38:58 -04:00
40841-gitops-sw-upload-error Fix GitOps policy-software resolution to fall back to hash when URL lookup fails (#42816) 2026-04-02 17:22:14 -04:00
40910-correct-request-certificate-pem Update PEM header type per hydrant spec (#42052) 2026-03-19 15:37:22 -04:00
40972-policy-description Fleet UI: Add description to add/edit policies (#42692) 2026-03-31 09:35:37 -04:00
41167-skip-bootstrap-clear-on-cert-renewal don't clear bootstrap token when doing MDM cert renewals (#43098) 2026-04-13 14:37:05 -06:00
41324-support-labels-include-all-for-installers Backend: Support labels_include_all for installers/apps (#41324) 2026-03-18 13:27:53 -04:00
41381-eua-ms-installer Added EUA to the Fleet MSI installer (#43295) 2026-04-13 12:17:23 -05:00
41409-use-fleetctl-new-templates-as-starter-lib Use fleetctl new templates for new instances (#42768) 2026-04-03 09:58:03 -05:00
41484-fix-windows-mdm-profile-upload-panic Fixed panic when uploading DDM/Android JSON profile to a team on Fleet Free (#43290) 2026-04-08 16:30:52 -05:00
41500-validate-scripts add missing validation for scripts, tests (#42424) 2026-03-30 10:13:03 -04:00
41534-host-details-reports-api-end-point New API endpoint for host reports (41534) 2026-03-18 11:03:48 -04:00
41540-host-details-reports-db-optimizations Performance improvements for Host Reports (41540) 2026-03-26 07:04:18 -04:00
41542-android-cert-resend-backend 41542 android cert resend backend (#42099) 2026-03-23 17:01:52 -04:00
41586-admin-by-request-false-positive Fixed Admin By Request false positive CVEs (#42095) 2026-03-20 10:35:56 -05:00
41601-use-multiplatform-names-in-front-end Use new multiplatform keys on the front end (#41763) 2026-03-30 08:56:21 -05:00
41603-fix-query-responses Fix get/create/update query response (#41966) 2026-03-20 10:30:52 -05:00
41631-not-installed fix usage of query params in host software endpoint (#42302) 2026-03-24 17:53:19 -04:00
41636-typo-in-msrc-json Fix "vulnerabilities" key in MSRC json (#42706) 2026-04-01 12:25:23 -06:00
41644-improve-cpe-matching Improved cpe deterministic matching (#42325) 2026-03-24 17:48:02 -05:00
41670-auto-rotate-recovery-lock Backend: Auto rotate recovery lock passwords (#42084) 2026-03-26 12:12:41 -06:00
41672-allow-omitting-manual-hosts-label Allow hosts key to be empty for manual labels (#42022) 2026-03-20 10:36:14 -05:00
41710-overwrite-software-title Update software title names on FMA sync and upload (#42647) 2026-03-30 15:59:19 -04:00
41741-order incorporate display name into setup experience ordering and enforce 1 at a time execution (#42393) 2026-04-06 11:51:39 -05:00
41742-fix-my-device-500-fleet-free Fixed 500 and 402 on My Device page. (#41748) 2026-03-16 16:09:43 -05:00
41753-policy-details-page Fleet UI: Policy details page followup (#43324) 2026-04-10 09:43:42 -04:00
41778-fix-enqueue-setup-experience-items-for-arch-linux Bugfix: properly enqueue compatible setup experience items for arch/omarchy linux (#41778) 2026-03-17 15:04:33 -04:00
41815-override-patch-policy-query Override patch policy query (#42322) 2026-03-25 10:32:41 -04:00
41888-otel-service-name Allow OTEL service name to be overridden (#41890) 2026-03-18 13:59:28 -05:00
42017-host-details-reports-tab [Host details > Reports] Frontend changes (#42017) 2026-03-24 10:45:34 -03:00
42047-android-web-app-banner Add warning banner for Android web apps requiring Google Chrome (#42598) 2026-03-28 15:35:45 -05:00
42103-accept-89-on-profile-removal accept 89 error on RemoveProfile as valid (#43172) 2026-04-07 15:23:37 -05:00
42185-add-flatcar-coreos-linux-platforms Add Flatcar Container Linux and CoreOS to recognized Linux platforms (#42186) 2026-03-23 10:33:48 -03:00
42327-apple-profile-retries Increased Apple retry from 1 to 3. (#42331) 2026-03-26 11:29:20 -05:00
42383-android-display-name Use display name when applicable for Android config change updates (#42626) 2026-03-30 09:51:12 -05:00
42399-support-vpp-policy-automations-in-generate-gitops fix policy software vpp automations (#42400) 2026-03-25 15:10:40 -05:00
42402-fix-query-results-deduplication Query results table: fix id column header and cell styles (#43246) 2026-04-08 13:28:06 -03:00
42405-android-onc-after-cert Android Wi-Fi profile withheld until cert installed on device (#42877) 2026-04-07 16:26:09 -05:00
42443-fix-show-disk-encryption-key-modal Fix disk encryption key modal to not show stale key when switching between hosts (#42444) 2026-03-27 10:13:59 -03:00
42572-fix-duplicate-text Filter errors that start with Couldn't add (#42764) 2026-03-31 16:33:55 -04:00
42600-android-cert-templates-cleared-on-reenroll Clear Android cert records on unenroll. (#42920) 2026-04-02 14:59:09 -05:00
42675-conditional-download-cache Add cache option for software packages to skip re-downloading unchanged content (#42216) 2026-04-14 13:01:33 -05:00
42751-r2-fma 🤖 Add fallback for FMA manifest URL pulls (#43312) 2026-04-09 17:36:18 -05:00
42799-option-to-unlock-not-available-afler-lock Do not clear MDM lock state on "idle" after lock (#42799) (#42825) 2026-04-02 11:02:50 -04:00
42808-rwmutex-jitter-shouldupdate Improved performance of distributed read endpoint (#42810) 2026-04-03 07:13:56 -05:00
42814-sso-learn-more-link Fleet UI: Add "Learn more" link to End-user Authentication docs on SSO settings page (#42814) 2026-04-01 16:25:57 -05:00
42836-deduplicate-flipping-policies-queries Removed duplicate FlippingPoliciesForHost DB calls (#42845) 2026-04-06 10:11:07 -05:00
42881-api-endpoints-initial-models API endpoints initial models (#42881) 2026-04-07 10:40:39 -04:00
42883-api-endpoint-for-listing-rest-api-endpoints Implement GET /api/v1/fleet/rest_api (#42883) 2026-04-10 11:12:38 -04:00
42979-fix-for-multi-team-user Fix UserMenu.tsx for multi-team user (#43059) 2026-04-07 08:13:18 -03:00
42991-patch-policy-gitops-bug Delete unnecessary patch policies in batch set software installers (#43112) 2026-04-07 15:58:29 -04:00
43034-optimize-policy-queries-for-host Optimized PolicyQueriesForHost and ListPoliciesForHost SQL queries (#43035) 2026-04-06 08:50:18 -05:00
43114-pagination-bug Fleet UI: Fix page oscillation (#43151) 2026-04-07 14:31:07 -04:00
43125-reports-nav-underline Fix Reports nav underline (#43137) 2026-04-07 13:46:30 -03:00
43162-software-table-bookmarkable-page Fleet UI: Fix software table bookmarkability for pages (#43166) 2026-04-07 15:59:48 -04:00
43341-gitops-mode-wonkiness Fleet UI: Fix gitops mode wonkiness (#43428) 2026-04-14 09:31:34 -04:00
43342-improved-button-link-styling Fleet UI: Improve internal links/buttons (#43470) 2026-04-14 09:30:26 -04:00
43389-patch-policy-gitops-bugs Fix patch policy bugs (#43420) 2026-04-10 21:42:14 -04:00
add-api-time-on-gitops-errors Add API time on GitOps errors to ease troubleshooting (#43000) 2026-04-06 10:58:41 -03:00
allow-clearing-windows-update-settings Allowed clearing Windows OS update deadline (#42272) 2026-03-25 16:02:54 -05:00
bump-mysql-8.0.42 Bump MySQL test version from 8.0.39 to 8.0.42 (#42122) 2026-03-20 14:24:29 -05:00
docs-read-replica-config-clarity Docs: Clarify MySQL read replica config is independent from primary (#43013) 2026-04-08 17:43:14 -05:00
input-field-to-ts 🤖 Switch InputField + InputFieldWithIcon JSX components to TS, add more test coverage, fix Storybook build (#43307) 2026-04-09 08:41:48 -05:00
issue-40076-clear-enrolled-from-migration clear enrollment from migration status on host when it is a new enrollment (#42553) 2026-04-07 07:44:52 -05:00
issue-40809-bitlocker-loop Bitlocker: do not decrypt already encrypted drive. (#43130) 2026-04-09 18:33:03 -04:00
refactor-named-functions-nil-checks Refactored to improve NilAway coverage (#42106) 2026-03-19 22:01:44 -05:00
ts6 Update to TypeScript 6.0 (#43141) 2026-04-09 08:28:59 -05:00
turn-off-prom-in-dev-mode Don't turn Prometheus on in --dev mode (#43129) 2026-04-07 12:01:26 -05:00
up-default-software-batch up default limit for software batch (#41827) 2026-03-17 10:20:09 -05:00
update-go-1.26.1 Updated go to 1.26.1 (#42027) 2026-03-19 07:01:00 -05:00