Re: [Buildroot] [PATCH v2 2/3] package/ripgrep: bump to version 14.0.3

["Yann E. MORIN" <yann.morin.1998@free.fr>]

Thomas, Antoine, All,

On 2023-12-30 20:44 +0100, Yann E. MORIN spake thusly:
> On 2023-12-30 19:00 +0100, Thomas Petazzoni via buildroot spake thusly:
> > On Fri, 29 Dec 2023 23:13:35 +0100
> > "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
> > > If that's so, then we have a big problem: the hashes for all the
> > > cargo-based packages will change, and thus it means we will have to
> > > name the generated archive based on the cargo version used to do the
> > > vendoring. That would apply to:
> > Note that I also encountered some hash mismatch on some Rust/Cargo
> > package recently, and BR was falling back to sources.buildroot.net. I
> > did not have the time to investigate at the time (I was looking into
> > another issue, and didn't want to enter an infinite recursion of
> > problem solving quest). And now, I don't remember with which package I
> > encountered this. But yes, it seems like we have a reproducibility
> > issue.
[--SNIP--]
>   - ripgrep fails vendoring, and reports the same hash failure
>   - host-sentry-cli fails vendoring, again with the same reported hash
>     failure

diffoscope to the rescue: the only change in either package, is a single
file that got its mode bits changed (context elided for brevity):

    --- ripgrep-af6b6c543b224d348a8876f0c06245d9ea7929c5.tar
    +++ ripgrep-af6b6c543b224d348a8876f0c06245d9ea7929c5-2.tar
    ├── file list
    │ @@ -2731,1 +2731,1 @@
    │ --rwxr-x---   0        0        0    10719 2021-06-12 12:12:24.000000 ripgrep-af6b6c543b224d348a8876f0c06245d9ea7929c5/VENDOR/unicode-width/scripts/unicode.py
    │ +-rwxr-x--x   0        0        0    10719 2021-06-12 12:12:24.000000 ripgrep-af6b6c543b224d348a8876f0c06245d9ea7929c5/VENDOR/unicode-width/scripts/unicode.py

    --- sentry-cli-2.20.3.tar
    +++ sentry-cli-2.20.3-2.tar
    ├── file list
    │ @@ -15292,1 +15292,1 @@
    │ --rwx------   0        0        0     1796 2023-07-31 09:58:46.000000 sentry-cli-2.20.3/VENDOR/username/src/lib.rs
    │ +-rwx--x--x   0        0        0     1796 2023-07-31 09:58:46.000000 sentry-cli-2.20.3/VENDOR/username/src/lib.rs

In either case, a single file had its mode bits changed, and it smells
like go+X was applied.

It seems that cargo did change its behaviour at some point, as the
archive as manually downloaded from crates.io does have the executable
bits as we originally expected:

    $ wget -O unicode-width-0.1.8.tar.gz https://crates.io/api/v1/crates/unicode-width/0.1.8/download
    $ tar xzf unicode-width-0.1.8.tar.gz
    $ ls -hl unicode-width-0.1.8/scripts/unicode.py
    -rwxr-x---. 1 ymorin ymorin 11K Jun 29  2020 unicode-width-0.1.8/scripts/unicode.py*
    $ wget -O username-0.2.0.tar.gz https://crates.io/api/v1/crates/username/0.2.0/download
    $ tar xzf username-0.2.0.tar.gz
    $ ls -hl username-0.2.0/src/lib.rs
    -rwx------. 1 ymorin ymorin 1.8K Aug 10  2017 username-0.2.0/src/lib.rs

I could not find anything relevant in the cargo bug tracker:
    https://github.com/rust-lang/cargo/issues?q=is%3Aissue+vendor+executable+bit

So, I have no clue what the best course of action would be. The
short-term workaround is to chop-off one more digit from the ripgrep
version and recalculate a new hash for it, and for sentry-cli maybe we
can update the version (or switch to a commit hash).

Probably we will want at some point to introduce a vendoring version,
like we have for the git and svn methods. so that we can update rust
(and thus cargo) without requiring a version bump/tweak for all affected
packages...

As an aside, the situation for sentry-cli is a bit concerning: the
'username' crate only ever had one release, 0.2.0, over 6 years ago
now, and the documentation and repository listed on the crates.io
page no longer exist:

    https://crates.io/crates/username
    http://pijul.org/user/doc/user/index.html   => 404
    https://pijul.org/darcs/user                => 404

Meh?...

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot