GitDownloader does not check if reference is valid. #2154

renanbr opened this Issue Aug 6, 2013 · 4 comments


None yet

3 participants

renanbr commented Aug 6, 2013

I was trying update a Satis repository and archive some packages from Packagist. It's is not a Satis issue. I've noticed Packagist provide a version not available in github. See that 1.0.x-dev is available in , but not in . It's not a sebastian/git issue neither Packagist issue. GitDownloader should handle it.

Steps to reproduce:

Create a satis.json and configure it to archive.

    "name": "some nice name",
    "homepage": "http://someurl",
    "repositories": [{"type": "composer", "url": ""}],
    "require": {"sebastian/git": "*"},
    "archive": {"directory": "dist"}

Run satis build ./satis.json ./out -vvv, message error:

Dumping 'sebastian/git-1.0.9999999.9999999-dev'.

  Failed to execute git checkout 'a1fcbf30db9aa944487339bd39784c6cd56f7973' && git reset --hard 'a1fcbf30db9aa944487339bd39784c6cd56f7973'  

  fatal: reference is not a tree: a1fcbf30db9aa944487339bd39784c6cd56f7973                                                                  

Exception trace:
 () at /opt/satis/vendor/composer/composer/src/Composer/Downloader/GitDownloader.php:259
 Composer\Downloader\GitDownloader->updateToCommit() at /opt/satis/vendor/composer/composer/src/Composer/Downloader/GitDownloader.php:43
 Composer\Downloader\GitDownloader->doDownload() at /opt/satis/vendor/composer/composer/src/Composer/Downloader/VcsDownloader.php:59
 Composer\Downloader\VcsDownloader->download() at /opt/satis/vendor/composer/composer/src/Composer/Downloader/DownloadManager.php:177
 Composer\Downloader\DownloadManager->download() at /opt/satis/vendor/composer/composer/src/Composer/Package/Archiver/ArchiveManager.php:141
 Composer\Package\Archiver\ArchiveManager->archive() at /opt/satis/src/Composer/Satis/Command/BuildCommand.php:289
 Composer\Satis\Command\BuildCommand->dumpDownloads() at /opt/satis/src/Composer/Satis/Command/BuildCommand.php:138
 Composer\Satis\Command\BuildCommand->execute() at /opt/satis/vendor/symfony/console/Symfony/Component/Console/Command/Command.php:244
 Symfony\Component\Console\Command\Command->run() at /opt/satis/vendor/symfony/console/Symfony/Component/Console/Application.php:892
 Symfony\Component\Console\Application->doRunCommand() at /opt/satis/vendor/symfony/console/Symfony/Component/Console/Application.php:184
 Symfony\Component\Console\Application->doRun() at /opt/satis/src/Composer/Satis/Console/Application.php:46
 Composer\Satis\Console\Application->doRun() at /opt/satis/vendor/symfony/console/Symfony/Component/Console/Application.php:121
 Symfony\Component\Console\Application->run() at /opt/satis/bin/satis:9
Seldaek commented Aug 7, 2013

How do you suggest we handle this? If the config is invalid it should fail IMO.

stof commented Aug 7, 2013

Well, the actual issue here is that the packagist github hook does not trigger the removal of the version when a branch is deleted, and so it sends invalid data

renanbr commented Aug 7, 2013

I was one step ahead, maybe it's a Packagist issue. At the first moment, I thought that when Packagist provides some version, this version should be available forever. At the second moment, It could be valid for stable versions. But for now, It makes sense remove it. If I make two projects that point to the same VCS, they should provide the same same versions of a library independently of time I run repository build.

@Seldaek, that's my suggestion, i'm just waiting for your feedback. @stof, if you confirm trigger fail, let's close this issue and move it to Packagist repository.

stof commented Aug 7, 2013

Well, as composer allows installing from source, Packagist cannot guarantee that the source will keep the version forever as it does not control it. Tags are likely to stay there, but deleting branches is a common case.

And it is indeed an issue for Packagist (see composer/packagist#139 for the old report). Currently, Packagist handles the hook in a dumb way: it uses the hook only to know that something (unknown) happened in the repo and so the Updater should run. As the Updater waits 1 week before deleting a version to avoid deleting versions by mistake in case of github API failures (which tend to happen regularly), branches are not deleted properly. To fix it, Packagist should read more data in the hook payload, to determine that the action was a branch removal (and so removing the version is OK)

@Seldaek Seldaek closed this Apr 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment