Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vcpkg 2018.11.23-nohash #2733

Closed
ras0219-msft opened this Issue Nov 7, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@ras0219-msft
Copy link

ras0219-msft commented Nov 7, 2018

As part of installing packages, vcpkg downloads several external executables such as nuget.exe and 7-zip. 7-zip specifically is downloaded from NuGet.org as a NuGet package and then unpacked locally.

To protect users from malicious executables, the vcpkg system has hashes checked in for every file that is externally downloaded. Unfortunately, NuGet.org has just modified all existing packages to include signature files inside the zip, which changes the hash.

We have fixed this issue in Vcpkg master[1], however since appveyor uses an older copy it will not have these fixes until the next image update.

These are the possible mitigation strategies I see:

  1. Mint a new image with the new vcpkg version
  2. Before spinning up a windows build, run git pull && ./bootstrap-vcpkg.bat in the vcpkg tool folder. This avoid minting a new image but requires adding startup time to every build. If you want to pull a specific commit with the fix, use 068032bc548817a04709970f76268a6d7b1767c7.
  3. Recommend to users that they do #2 before their builds -- this will still cause disruption for users because they need to see at least one of their builds fail, search, and eventually stumble upon this issue.

A longer-term mitigation against issues like this in the future would be to recommend in the appveyor docs on vcpkg that users explicitly pull new versions before running their build.

[1] Microsoft/vcpkg#4663

@IlyaFinkelshteyn IlyaFinkelshteyn added this to the next-images-update milestone Nov 8, 2018

IlyaFinkelshteyn added a commit to appveyor/website that referenced this issue Nov 8, 2018

@IlyaFinkelshteyn

This comment has been minimized.

Copy link
Member

IlyaFinkelshteyn commented Nov 8, 2018

@ras0219-msft will add this to next image update, Unfortunately we started distribution of new image yesterday and it is already late to get into this train. Next one should not take too long. As you see I am updating documentation, and you are welcome to contribute too :)

IlyaFinkelshteyn added a commit to appveyor/website that referenced this issue Nov 8, 2018

craftwar added a commit to craftwar/obs-studio that referenced this issue Nov 12, 2018

craftwar added a commit to craftwar/obs-studio that referenced this issue Nov 12, 2018

@FeodorFitsner

This comment has been minimized.

Copy link
Member

FeodorFitsner commented Jan 31, 2019

Updating vcpkg:

cd "C:\Tools\vcpkg"
git pull
.\bootstrap-vcpkg.bat

@FeodorFitsner FeodorFitsner changed the title Vcpkg will fail to install packages due to NuGet.org changes Vcpkg 2018.11.23-nohash Jan 31, 2019

@IlyaFinkelshteyn

This comment has been minimized.

Copy link
Member

IlyaFinkelshteyn commented Feb 12, 2019

New Windows images deployed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.