Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid entry in the RECORD file in pants's wheels #18111

Closed
SpecLad opened this issue Jan 28, 2023 · 8 comments · Fixed by #18219
Closed

Invalid entry in the RECORD file in pants's wheels #18111

SpecLad opened this issue Jan 28, 2023 · 8 comments · Fixed by #18219
Assignees
@jsirois
Labels
bug

Comments

@SpecLad
Copy link

SpecLad commented Jan 28, 2023

Describe the bug

$ bsdtar -xOf pantsbuild.pants-2.14.1-cp39-cp39-manylinux2014_x86_64.whl pantsbuild.pants-2.14.1.dist-info/RECORD | grep VERSION
pants/VERSION,sha256=vNrRse8ZHLdFijrFjxUetx6i8tw/9fa0kvdd3+kbGDU=,6

This line is incorrect. According to the specification, the hash digest should a) be using the URL-safe alphabet, and b) have no padding at the end. In other words, the line should look like this:

pants/VERSION,sha256=vNrRse8ZHLdFijrFjxUetx6i8tw_9fa0kvdd3-kbGDU,6

Every other entry in the file is already correct, it's just pants/VERSION that's broken.

Pants version
2.14.1, but I looked at some other versions too and they're broken in the same way.

OS
All.

Additional info
N/A
@SpecLad SpecLad added the bug label Jan 28, 2023
@SpecLad
Copy link
Author

SpecLad commented Jan 28, 2023

Looks like the issue comes from here:

pants/build-support/bin/reversion.py

Line 61 in 8da1ced

b64_encoded = base64.b64encode(fingerprint.digest())

It should be b64_encoded = base64.urlsafe_b64encode(fingerprint.digest()).rstrip(b'=').

@SpecLad
Copy link
Author

SpecLad commented Jan 29, 2023

Every other entry in the file is already correct

Spoke too soon; the entries for the pantsbuild.pants-2.14.1.dist-info/* files also exhibit the same problem.

@jsirois
Copy link
Contributor

jsirois commented Jan 29, 2023

Yeah, so I find:

$ unzip -qc ~/Downloads/pantsbuild.pants-2.14.1-cp39-cp39-macosx_11_0_arm64.whl pantsbuild.pants-2.14.1.dist-info/RECORD | grep =,
pants/VERSION,sha256=vNrRse8ZHLdFijrFjxUetx6i8tw/9fa0kvdd3+kbGDU=,6
pantsbuild.pants-2.14.1.dist-info/METADATA,sha256=WUDHsXqSHJjX2R1P+n7t+ujfzobJrNViSo7IkWwsgUU=,34898
pantsbuild.pants-2.14.1.dist-info/WHEEL,sha256=oITnL8r4K9lhj+wWSHlE2XUA0J8WLXdegrKtvi/34zA=,108
pantsbuild.pants-2.14.1.dist-info/entry_points.txt,sha256=PPhLegkjKzPy7mhIYYpl2tyAI6XngR4OI9pqvsoCyKo=,54
pantsbuild.pants-2.14.1.dist-info/namespace_packages.txt,sha256=AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=,1
pantsbuild.pants-2.14.1.dist-info/top_level.txt,sha256=SMY0x5WZgtCApbw/EApPfTQ6I3wIcw0CApL+5veAEiI=,20
pantsbuild.pants-2.14.1.dist-info/zip-safe,sha256=AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=,1

It looks like we do potentially modify all dist-info files:

pants/build-support/bin/reversion.py

Lines 102 to 105 in 8da1ced

def reversion(
*, whl_file: str, dest_dir: str, target_version: str, extra_globs: list[str] | None = None
) -> None:
all_globs = ["*.dist-info/*", "*-nspkg.pth", *(extra_globs or ())]

So I think you've identified the right bug + fix above.

@SpecLad do you want to post a PR for the fix?

@benjyw benjyw self-assigned this Jan 29, 2023
@SpecLad
Copy link
Author

SpecLad commented Jan 29, 2023

@SpecLad do you want to post a PR for the fix?

Not really, to be honest. Setting up the build environment seems complicated, and the fix is very simple, so I'm hoping that you can do it yourselves.

@SpecLad SpecLad mentioned this issue Jan 29, 2023
Open
@kaos
Copy link
Member

kaos commented Jan 29, 2023

@SpecLad thanks for the report. 👍🏽

@jsirois
Copy link
Contributor

jsirois commented Feb 9, 2023

@benjyw I can knock this out; just let me know by un-assigning yourself if that sounds good. It would be good to get this fixed before Friday / the march of 2.16.x through alpha and beyond.

@benjyw benjyw removed their assignment Feb 9, 2023
@benjyw
Copy link
Contributor

benjyw commented Feb 9, 2023

@jsirois thanks! Unassigned myself

@jsirois jsirois self-assigned this Feb 9, 2023
@jsirois
Copy link
Contributor

jsirois commented Feb 9, 2023

I've just verified wheel unpack serves as a handy check that fails against the current broken-ness:

$ rm -rf /tmp/check && wheel-check.venv/bin/wheel unpack dist/deploy/wheels/pantsbuild.pants/33a6cf8a53daf5b39fbaca9798bb6f2459314dec/2.14.1/pantsbuild.pants-2.14.1-cp39-cp39-manylinux2014_x86_64.whl --dest /tmp/check
Traceback (most recent call last):
  File "/home/jsirois/dev/pantsbuild/jsirois-pants/wheel-check.venv/bin/wheel", line 8, in <module>
    sys.exit(main())
  File "/home/jsirois/dev/pantsbuild/jsirois-pants/wheel-check.venv/lib/python3.9/site-packages/wheel/cli/__init__.py", line 91, in main
    args.func(args)
  File "/home/jsirois/dev/pantsbuild/jsirois-pants/wheel-check.venv/lib/python3.9/site-packages/wheel/cli/__init__.py", line 19, in unpack_f
    unpack(args.wheelfile, args.dest)
  File "/home/jsirois/dev/pantsbuild/jsirois-pants/wheel-check.venv/lib/python3.9/site-packages/wheel/cli/unpack.py", line 17, in unpack
    with WheelFile(path) as wf:
  File "/home/jsirois/dev/pantsbuild/jsirois-pants/wheel-check.venv/lib/python3.9/site-packages/wheel/wheelfile.py", line 75, in __init__
    algorithm, hash_sum = hash_sum.split("=")
ValueError: too many values to unpack (expected 2)

And fails against invalid hashes (I hacked this one manually):

$ rm -rf /tmp/check && wheel unpack pantsbuild.pants-2.14.1-cp39-cp39-manylinux2014_aarch64.whl -d /tmp/check
Unpacking to: /tmp/check/pantsbuild.pants-2.14.1...Hash mismatch for file 'pantsbuild.pants-2.14.1.dist-info/zip-safe'

And succeeds with a valid RECORD only.

jsirois added a commit to jsirois/pants that referenced this issue Feb 9, 2023
@jsirois
Fix published wheel RECORDs.
3382a59 
The hash format is fixed and a verification step added to prevent
publishing invalid wheels going forward.

Fixes pantsbuild#18111
@jsirois jsirois mentioned this issue Feb 9, 2023
Merged
jsirois added a commit that referenced this issue Feb 9, 2023
@jsirois
Fix published wheel RECORDs. (#18219)
817db43 
The hash format is fixed and a verification step added to prevent
publishing invalid wheels going forward.

Fixes #18111
jsirois added a commit to jsirois/pants that referenced this issue Feb 9, 2023
@jsirois
Fix published wheel RECORDs. (pantsbuild#18219)
cab0227 
The hash format is fixed and a verification step added to prevent
publishing invalid wheels going forward.

Fixes pantsbuild#18111

(cherry picked from commit 817db43)
@jsirois jsirois mentioned this issue Feb 9, 2023
Merged
jsirois added a commit that referenced this issue Feb 9, 2023
@jsirois
Fix published wheel RECORDs. (Cherry-pick of #18219) (#18220)
4952694 
Fix published wheel RECORDs. (#18219)

The hash format is fixed and a verification step added to prevent
publishing invalid wheels going forward.

Fixes #18111

(cherry picked from commit 817db43)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsirois jsirois

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix published wheel RECORDs. jsirois/pants
4 participants
@kaos @jsirois @benjyw @SpecLad