-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add hash of nuget package to lock file #3789
Conversation
I love it! Thank you for picking up the torch. @forki what do you think of updating the default 'paket init' settings to include hashes? |
I'd love to have lock file hashes as default for v6. We are currently in
alpha. So now is the time. But please make it backwards compatible
Chet Husk <notifications@github.com> schrieb am Fr., 7. Feb. 2020, 05:08:
… I love it! Thank you for picking up the torch. @forki
<https://github.com/forki> what do you think of updating the default
'paket init' settings to include hashes?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3789?email_source=notifications&email_token=AAAOANHP4FNW42GX5YDGCHLRBTNEZA5CNFSM4KRICMXKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELBU7YI#issuecomment-583225313>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAOANA7CXKUYOAFKP5BJ5DRBTNEZANCNFSM4KRICMXA>
.
|
I believe as it stands this is fully backwards compatible.The way it currently works hashes are only written to the lock file and verified if Let me know which one you want to go with. |
Depending on what problems you are assuming to solve with this you might very well be fooled by how the dotnet sdk integration works. Can we discuss what we are trying to solve with this? (I'm quite in favor of this, but users might expect more from this than what we actually achieve) |
My goal with this is to get the sha512 into the lockfile, so that I can feed the restore process files from Nix. Nix likes to completely own all external requests, so that it can manage builds being fully reproducible, and pulling files from caches when necessary. This PR is a piece of what I need to do that. My rough plan is:
I dont think I will run afoul of any default dotnet behavior, in my experiments so far with manually placing the The hash verification for non Nix users is a happy side effect, it is not needed for my use case. |
@xavierzwirtz I think this might generally work, but there are some edge cases which might not: Sometimes NuGet decides it needs additional or different versioned packages (which are then downloaded with If you want to test early how viable this approach is, I think you can use the paket cache feature and then try to go offline and clear the nuget cache and see how far you can get with the paket cache only. In any case maybe it works just fine now, last time we tried to disable all NuGet sources for |
There's a confounding factor here for nix derivations in particular, in that framework references aren't versioned in the nuget spec files. I imagine your derivation generator would need to take into account the global.json file in that case? That's not directly applicable for this work here just something I was thinking of. |
That's exactly what I did, was able to get a simple hello world project building. The nice thing about Nix is I don't have to clear anything, each build is fully sandboxed. @baronfel, I definitely haven't got that far with it yet, just identified the issues with packages so far. Looks like the SHA512 hash is generating differently in CI, probably because its running on Windows. Ill chase that to ground. What is the verdict for making recording hashes default? By my reckoning we have 3 good options:
My preferred option is 3, however I am not the one who has to answer issues after this gets merged. If 3 makes you nervous, 2 is safer. |
If you really want to test it thoroughly and want to commit to this feature (ie send patches after initial release). I'd suggest:
If you just want to make it work for yourself / opt-in. Or test it beforehand with a real release you can make it opt-in as you suggest. My feeling says if this is opt-in it will only be used by very few people and chances are high the feature will be broken eventually. |
I have found a pretty major wrinkle for this change. For some reason my linux machine's nuget cache is full of subtly modified nupkg files. The CI checks are failing because the lock file I added only works on my machine. From my investigation so far, I have no idea why the nupkg is different. I attempted a fresh restore with paket after wiping the cache, and the downloaded file has the correct hash. I then attempted wiping the cache, and using After discovering this, I looked into how NuGet handles locking the hash of a package. It looks like they hash the contents of the nupkg, instead of hashing the nupkg itself. This makes me think that they discovered the same issue. The "bad" nupkg I had on my linux machine had identical contents to the "good" package that I have been able to repeatedly retrieve from nuget.org. As it stands, I don't think the ergonomics can be made acceptable for verifying the hash of the nupkg itself by default, too many users will have caches with subtly tainted files. As a path for moving forward I propose:
|
Looks like this is the culprit for my magical changing hash. let fixDatesInArchive fileName =
try
use zipToOpen = new FileStream(fileName, FileMode.Open)
use archive = new ZipArchive(zipToOpen, ZipArchiveMode.Update)
let maxTime = DateTimeOffset.Now
for e in archive.Entries do
try
let d = min maxTime e.LastWriteTime
e.LastWriteTime <- d
with
| _ -> e.LastWriteTime <- maxTime
with
| exn -> traceWarnfn "Could not fix timestamps in %s. Error: %s" fileName exn.Message
let fixArchive fileName =
if isMonoRuntime then
fixDatesInArchive fileName @matthid looks like you added this waaay back in I'm scared to touch something that weird looking, must have been a good reason for it. |
So in summary that was a workaround for a mono bug which was fixed in mono 4 |
I whacked it out, we'll see if tests pass. |
Not seeing any failures caused by the removal of |
You might be able to get around that for the test runs by setting a different environment variable value for 'NuGetCachePath' during the test runs. |
Tried that, its only saving some json files in the specified cache folder, no nupkg files. |
I could use some guidance on how to move this forward. It looks like the logic to hash nupkg files is done, with the default of saving the hash but not verifying. Tests are failing due to tainted caches on the build machines though. I dont like the option of deleting the paket cache from the hash integration tests, feels like that would bite someone in the butt. |
What are the options or what do you need to get this green? |
I think I might have found a new tactic to make this work sanely, and allow it to be the default behavior. The problem is, I need a way to detect the difference between cached:
After reviewing the cached package folder for a package restored by NuGet, NuGet writes a file called This will cause caches to be completely removed upon first use of this new version. Is that an acceptable change? |
8aeefb0
to
7f77120
Compare
This feature has proven much more painful than I originally thought it would be. Here is the state of my latest work:
This logic feels rock solid from my testing, no issue with hashes of identical files not reproducing between machines. The problem arises whenever the nupkg files are not identical. So far there are two routes to that. In versions of paket other than this PR, when running under mono paket modifies files inside the nupkg LastWriteTime. This causes the hash to not be reproduceable. The way I have resolved that, is writing A bigger issue, is the nugetfallbackfolder. It looks like the packages in the nugetfallbackfolder on the CI server do not match what gets downloaded from nuget, making them dangerous to use if hashing is enabled. Looping back around to the package cache, I think that whenever NuGet itself downloads a package, it does not modify the nupkg in any way. However, it does use the nugetfallbackfolder, and will insert tainted nupkg files into the cache from there. Therefore we have to treat cached nupkg files downloaded with NuGet the same and evict them from the cache. I am considering this change done enough for a PoC, if @matthid and @forki are okay with:
then I will polish this up and get it merge ready. |
and verify on restore.
tainted nupkg files on CI servers restored by nuget
8322acb
to
94d8d21
Compare
@xavierzwirtz hi any updates on that? Interested in using Paket with Nix as well. |
Got ghosted, so I moved on without this PR. I have an implementation of dotnet2nix here that handles paket, at the subset of features that I use. |
I think the only outstanding question was how to handle the fallback cache, right? I think nuget is moving away from the fallback cache with the package source work they just released, and I think a part of that is a flag to disable the fallback cache. We should look at setting that all the time, IMO. |
@xavierzwirtz @baronfel do you think we could consider merging it with a flag that disables fallback cache? |
It has been a long time since I wrote this code and thought about the impact it would have to paket to merge. I am not comfortable vouching for this code, and can't commit any more time to trying to get it merged. If your goal is to utilize paket with nix, the version of dotnet2nix that I linked above works around the need for this pr by creating a dotnet.lock.nix that contains the sha256 hashes of all nuget packages. |
Re: fallback cache, I think we should add |
@baronfel Is adding this tag something that is planned in near future? |
Rebase and polish of the work done in #1332 by @baronfel. From my testing, I am not seeing any stability issues with the hashing of the nupkg.
This will enable Nix derivations to be generated from a paket.lock.