Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Better explainatons of the problems found #4

Open
VorpalBlade opened this issue Apr 1, 2024 · 5 comments
Open

Feature request: Better explainatons of the problems found #4

VorpalBlade opened this issue Apr 1, 2024 · 5 comments

Comments

@VorpalBlade
Copy link

Consider some lines from my first run:

Package addr2line has mismatching file hashes for addr2line-0.21.0/Cargo.lock

Maybe show a diff? Or provide some other easy way to inspect the actual differences. Or is this just due to the library not having a checked in Cargo.lock?

Commit between crates.io tarball and git tag doesn't match for ahash v0.8.11

Aaah! I definitely want more details on that one! (Will be investigating that one manually)

Couldn't publish the package in https://github.com/tkaitchuck/constrandom.git repo status=exit status: 101

Seen this one several times. It would make sense to show more details here.

Couldn't checkout the commit in https://github.com/briansmith/untrusted.git repo status=exit status: 128

Similar to the above, I want more info.

Package still somehow doesn't exist ahash

As an error message, this doesn't stand out enough from the log lines (whatever it means).

@VorpalBlade
Copy link
Author

Perhaps there could be a flag --investigate package-name=1.2.3 flag or similar that checked out both in directories below the current working directory, and did a soft publish and unpacked that as well. Then it would make it easy for me to manually investigate what is going on.

@VorpalBlade
Copy link
Author

Found NO tag match with package compact_str
Found NO tag match with package const-random
Found NO tag match with package const-random-macro
Found NO tag match with package generic-array
Found NO tag match with package heck
Found NO tag match with package heck
Found NO tag match with package hermit-abi
Found NO tag match with package ident_case

This seems a good reason to also check whatever commit ID that cargo identified when publishing (if it exists). I would argue checking both and making a summary table at the end.

@paolobarbolini
Copy link
Member

Thank you very much for all of the feedback. I've spent most of the time scanning crates.io instead of improving the code, but I definitely want this tool to become useful and easy to use in the medium to long term.

The NO tag match error is for crates that don't seem to have tagged the release in question in the git repository. I have already opened issues for a few of them. A lot of maintainers seem to forget to tag or to push tags for new releases. Many crates surprisingly don't use tags at all, which combined with the lack of .cargo_vcs_info.json, or publishing from unknown branches, makes the process of reproducing the release much harder.

@paolobarbolini
Copy link
Member

paolobarbolini commented Apr 1, 2024

I've just seen briansmith/untrusted#69 (comment). Not to downplay issues, but given that many maintainers commit from release branches, it seems a bit alarmist (though arguable, given the scope of the crate) to post a comment like this. I wouldn't want to alienate the community like RustSec did with some maintainers that didn't agree with unmaintained crate advisories (probably because of the backslash from the downstream users)

@VorpalBlade
Copy link
Author

You are right, I changed from deeply problematic to somewhat problematic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants