[question] Conan centre package rereleases #16320
Comments
|
Thanks for your question. Quick question, have you read https://docs.conan.io/2/devops/using_conancenter.html? This would be updated advice on how to use ConanCenter packages in production environments. |
|
Regarding your questions:
Because often it is necessary to do changes to recipes, that still package exactly the same source code, for example the boost - 1.81.0 source code. When the recipe changes to accomodate some new compiler, architecture, or to solve a bug, it gets a new revision, yet the underlying packaged source code is
The advice in https://docs.conan.io/2/devops/using_conancenter.html for your case:
|
|
Hi @memsharded, thanks for the swift reply. It is very much appreciated. No, I have not seen those links before. Thank you for adding them here so I can reach them easily. I'll read over them and use the information to help my issue. I noticed these links and your response mentions how Conan 2 is expected to work for production envs. Would the information in your response and these links extend to Conan 1.x series too (sadly not ready to upgrade to 2.0 yet)? |
Yes, most of the information in that docs is equally valid for Conan 1.X with a couple of notes:
|
|
@memsharded I think this is systemic of packaging not being contained with official sources like other ecosystems do, I personally believe Conan should take note from Debian, where rereleases use |
|
@memsharded I think @AshleighAdams has a very good point to consider. That would be a safer alternative to allow for developer teams to create new packages that patches issues but still live as a version of that release. With the boost example, we would still have the original |
I am not sure how this is different from |
|
Hi @memsharded , sorry for the late reply. The general idea is the same. However, it would need the packages on Conancenter to either append the recipe revision to the dependencies or build off a lock file to ensure the intended recipe and version of each dependency package is found correctly. At the moment, the recipes in the conancenter packages do neither. Take boost's recipe on conancenter as an example. These are transitive dependencies that do not enforce a recipe revision so rereleases of these deps will be an issue |
Interesting... how so? |
What is your question?
Conan version: v1.64.0
OS version: Windows 11
Hi,
I have several conan project that utilizes packages from my company's local Artifactory conan repository and conan center. We store our 1st party tools and products in our local artifactory and have started point to conan centre to retrieve the 3rd party libraries, build them locally then upload the recipe and package to our local artifactory. Over time, I've noticed that a few packages we have stored fail to be installed due to the recipe hashes not matching up. This is due to 3rd party dependencies relied on have been rereleased with a new recipe for a previously released version. For example, boost v1.81.0 had a release and caused issues for installs
We couldn't find any clear docs to cover what to do when the packages you rely on are rereleased on conan centre and conflict. To work around this, we append the recipe hash to the end of the package reference so avoid the conflict i.e
boost/1.81.0@#9bd7ae86a881631b6cc76590621e470b. This helps but hit issues when a dependency of a 3rd party is rereleased as well, causing somewhat of a domino affect of declaring each problematic dependency and declaring an overriding requirement with the target recipe hash until all issues are goneMy questions are the follow:
Have you read the CONTRIBUTING guide?
The text was updated successfully, but these errors were encountered: