You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have recently had an issue in Conan Center where users were reporting hash mismatches between the source tarball downloaded from GitHub, and the SHA in the recipe: conan-io/conan-center-index#11801
Upon further investigation, it appears that the v1.6.2 tag for google benchmark was replaced twice (see discussion here) in a short period of time, to address an issue in the commit that the tag originally pointed to.
While this is typically unusual, given the volume of recipes/packages we have in Conan Center, retagging does happen with relative frequency. Having investigated this further, it would appear that in a lot of cases this is more likely to happen in a very short period after the original release.
We have noticed that the PR that introduced 1.6.2 was created from this bot, in a remarkably short period of time after release was originally tagged: conan-io/conan-center-index#11794
While it is an impressive feat to be able to propagate recipes and packaged binaries to users so short after the release - we are wondering if it would be possible for this bot to only report new versions if they have been already available for more than a "grace" period - perhaps 24 hours.
As it turns out with this case with the Benchmark library, it was re-tagged (twice) in a short period of time, and in practice due to this, the recipe was almost immediately broken after the re-tagged version resulting in the SHA of the source tarball changing shortly after. I've not been able to find evidence of other package managers being affected, because they simply cut their 1.6.2 with the "final" version of the tag: we were unfortunate in that we got there too quickly :)
The text was updated successfully, but these errors were encountered:
We have recently had an issue in Conan Center where users were reporting hash mismatches between the source tarball downloaded from GitHub, and the SHA in the recipe:
conan-io/conan-center-index#11801
Upon further investigation, it appears that the
v1.6.2tag for google benchmark was replaced twice (see discussion here) in a short period of time, to address an issue in the commit that the tag originally pointed to.While this is typically unusual, given the volume of recipes/packages we have in Conan Center, retagging does happen with relative frequency. Having investigated this further, it would appear that in a lot of cases this is more likely to happen in a very short period after the original release.
We have noticed that the PR that introduced 1.6.2 was created from this bot, in a remarkably short period of time after release was originally tagged: conan-io/conan-center-index#11794
While it is an impressive feat to be able to propagate recipes and packaged binaries to users so short after the release - we are wondering if it would be possible for this bot to only report new versions if they have been already available for more than a "grace" period - perhaps 24 hours.
As it turns out with this case with the Benchmark library, it was re-tagged (twice) in a short period of time, and in practice due to this, the recipe was almost immediately broken after the re-tagged version resulting in the SHA of the source tarball changing shortly after. I've not been able to find evidence of other package managers being affected, because they simply cut their
1.6.2with the "final" version of the tag: we were unfortunate in that we got there too quickly :)The text was updated successfully, but these errors were encountered: