Skip to content

Checksum failing when using semver build meta-data #6504

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
jake-ruyi opened this issue Jan 1, 2019 · 5 comments
Closed

Checksum failing when using semver build meta-data #6504

jake-ruyi opened this issue Jan 1, 2019 · 5 comments
Labels
C-bug Category: bug

Comments

@jake-ruyi
Copy link

jake-ruyi commented Jan 1, 2019
edited
Loading

Maybe not a bug.

Problem
Crates with semver build metadata (e.g. 1.1.1+2) seem to have issues with:

error: checksum for `runng-sys v1.1.1+4` changed between lock files

Or:

error: failed to verify the checksum of `runng-sys v1.1.1`

Details:

  • I wanted a crate of FFI bindings to track the version of the native library (e.g. 1.1.1)
  • Tried to use semver build metadata for "minor" crate updates that still used the same version of the native library (e.g. 1.1.1+2)
  • First ran into problems getting doc.rs to pull and build the correct version (failed builds), eventually getting it to work by yanking all but the most recent crate (crates.io version history)
  • If all versions except 1.1.1+4 are yanked, Cargo.toml with runng-sys = "1.1.1" fails with error: checksum for XYZ changed between lock files
  • If all versions except 1.1.1 and 1.1.1+4 are yanked, Cargo.toml with runng-sys = "1.1.1" fails with error: failed to verify the checksum
  • Everything is fine when using path dependencies: runng-sys = { path = XYZ }

I've flailed around with this enough that I'm not entirely sure what the problem is. Rather than publishing more packages and digging myself a deeper hole, thought I should stop and ask.

Also see:

  • Originally reported here
  • Additional info here

Steps
Made a dummy package cargo_issue_6504 to verify it has nothing to do with my stuff.

Both 1.1.1 and 1.1.1+1 are not yanked:

  1. cargo new test2
  2. In Cargo.toml, cargo_issue_6504 = "1.1.1"
  3. cargo build fails with failed to verify the checksum

2.2.2 is yanked, 2.2.2+1 is not:

  1. cargo new test2
  2. In Cargo.toml, cargo_issue_6504 = "2.2.2"
  3. cargo build succeeds
  4. Second cargo build fails with checksum for XXX changed between lock files

Possible Solution(s)

  • Seems to be several dangling issues related to semver + metadata (1, 2, several others)
  • Supporting build metadata adds flexibility (especially with publishing to crates.io being permanent), but...
  • Maybe there should at least be a warning that "your package isn't going to work"

Notes

Output of cargo version:

cargo 1.31.0 (339d9f9c8 2018-11-16)
@jake-ruyi jake-ruyi added the C-bug Category: bug label Jan 1, 2019
@jake-ruyi jake-ruyi mentioned this issue Jan 1, 2019
Closed
@alexcrichton
Copy link
Member

Thanks for the report!

I've tracked this down to the fact that {Hash,Eq} for semver::Version doesn't actually include build metadata so Cargo's own internal map of versions to hashes gets mixed up because the Version instances collide with one another.

I think that according to the semver spec 1.1.1 is actually equivalent to 1.1.1+a, so I actually think it's a violation that we allowed multiple of those versions to be published in the first place!

@steveklabnik just wanted to double check with you, but does that sound right on the semver side of things?

@ehuss
Copy link
Contributor

ehuss commented Jan 3, 2019

Rejecting on publish seems to be the inclination in rust-lang/crates.io#1059.

Also, maybe Cargo should warn if you have metadata in a versionreq. For example, bitflags = "=1.0+foo" works.

@alexcrichton
Copy link
Member

Ah right yes, forgot about that! And yeah I think it's probably worthwhile for Cargo to warn and/or reject build metadata on version requirements

@steveklabnik
Copy link
Member

steveklabnik commented Jan 3, 2019 via email

@alexcrichton
Copy link
Member

Ok! Let's close this in favor of rust-lang/crates.io#1059 then

@ehuss ehuss mentioned this issue Apr 1, 2019
Merged
bors added a commit that referenced this issue Apr 1, 2019
@bors
Auto merge of #6806 - ehuss:warn-semver-metadata, r=Eh2406
8cf0c95 
Warn on version req with metadata.

Metadata in a version requirement (such as `1.0.0+1234`) is ignored. This adds a warning that it will be ignored.

On crates.io I found about 5 crates, plus a few dozen google-* crates (presumably all created by the same person) which have dependencies of this form.

See discussion at #6504 (comment). cc rust-lang/crates.io#1059 for ongoing discussion about what to do about publishing such versions.
@joshtriplett joshtriplett mentioned this issue Jul 25, 2019
Closed
@ogoffart ogoffart mentioned this issue Nov 23, 2022
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
C-bug Category: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@steveklabnik @ehuss @alexcrichton @jake-ruyi