Proposal for recipe and package immutability #16
Conversation
|
Sorry if this isnt relevant but here it goes. I havent following up on usage of user/channel (is that just cci convention to drop those?) and relation of this proposal but it at least raises a question of how "promotion" of a package from one user/channel to another user/channel would be affected with this change ? |
|
I'm not completely sure that I understand this - what is currently not immutable? The fact that admins can delete the package from the Artifactory and upload the new one or overwrite the existing one? I don't know how you can prevent this, except by disabling the possibility to delete packages from Artifactory... Regarding the revisions, if the default algorithm for revisions would be the hash of the contents, then only those affected would be those that use Also:
I don't understand this. How can Also, why will |
Hi @rasjani Yes, dropping user/channel is mostly for ConanCenter. Users are still encouraged to use them, specially the "username" part, to identify their own packages created by themselves. Regarding the promotion, that is right, you can read in the proposal, that moving one package from one user/channel to another user/channel violates the immutability. This will be removed in Conan 2.0 (including the |
As long as you can have (and many recipes do have) conditionals and logic in the recipe that depends on
Promotion between repositories. This is a proven, well known best practice for other package managers, and we have been already been designing Conan latest features, like the lockfiles, or the new CI flows (soon to be launched in the Academy trainings), to follow this principle. Some Conan users are already using it successfully, and we are also applying it ourselves at a huge scale in ConanCenter. |
|
Just for historic reasons: the |
🤔 , so if I understood correctly, it would not be possible anymore for package to depend on both |
|
Could this be clarified a bit with regard to the source of hashing? As I understand SCM is used only for recipe revision, while (binary) package revision is always calculated based on the contents, right? This can be calculated only after package is built. In this case I think it is quite important to at least mention that there could be different binary packages with exactly the same settings but different hashes. For example, if compiler flags are different, like Or if I get this wrong and SCM revision used for package revision too we get the opposite situation, where a change in produced binary won't create a new package (same: if there was some compiler codegen issue fixed in patch upgrade). In any case I think it's important to mention your research on reproducible builds. |
No, that shouldn't be related to this, that is about the build-host contexts, and that is expected to still be possible. Actually, using the build-host contexts will also probably be proposed for Conan 2.0 as the default behavior. I might be missing something. |
Yes, but not sure if I understand. This is exactly the purpose of the "package-revisions". Getting a new, different package revision (for the same recipe version, revision, dependencies, settings, etc), only happens if you force another build of the same thing, even if absolutely nothing changed, and you either have a change in the environment that is not modeled by Conan at all, or your builds are not reproducible. You are right:
Does this clarify a bit? Maybe add those items to the doc? |
|
Will it still be possible to mix dependencies from release and develop (stable and unstable) repositories? This is a mandatory requirement for us. We should at least have the possibility to select the remotes on a per-requirement basis then. An even better solution would be to make Conan aware of the versioning workflow so that there is a bijection between SCM branches/tags and the associated packages. Currently we're providing this bijection manually by mapping user/channel to branches/tags. I don't see how this could be mapped to Conan remotes. |
Yes. I think I was thinking more about Conan being distributed so technically it's possible that different repositories have different package revisions. Especially if something like I think my main concern is that it is not possible to know hash in advance to skip the build and if buidls are not totally reproducible just accidentally triggering CI may result in catastrophic rebuilds of all downstream packages. Lockfiles are very close connected to this feature as they can prevent unintended rebuilds (or provide consistency) but building CI around lockfiles is much more work (not everyone may be willing to invest into).
I think it's a good idea. |
Not really an overwrite. 2 things can happen:
I think in the general case there are 2 "safe" CI approaches, based on the "package_id_mode":
Possibly, the first one is more suitable to normal development, in which we assume that changes are in sources, and the environment is quite controlled, (CI, docker images). When something breaks in the environment badly, then a new build can still be forced manually. So the second one seems to make more sense just for very extreme cases, with environment variability or something like that. |
|
Hmmm... Didn't think about it from this perspective. So if package revision of the upstream package defines package id of a downstream one means we can't simply forecast package id for the final app until all dependencies are built. Not sure which consequences this has... Another important thing to keep in mind is ability to install dependencies for development and but get "missing binary package" (for "enterprise ci" case). Then again, lockfiles can help but they should either be checked in or downloaded from ci. Both options are so-so... |
Will jFrog be adding support for atomic moves of multiple packages to avoid possible cases where another user might see 'half' newly promoted packages while promotion copy package-by-package is in progress? (see e.g. conan-io/docs#1935 "Lockfile CI documentation glosses over possible difficulties in atomic Artifactory copy of multiple packages" ) |
If Conan is going to move more towards separate repo usage, I hope that jFrog will add better, finer-grained permissioning support for Artifactory repo creation. In larger organizations, the teams writing CI jobs are (rightly so) not allowed the Artifactory Admin credentials that would allow for repo creation on-the-fly during builds or to create new "distributions". |
Co-authored-by: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>
Can anyone point me to the documentation that describes how to copy packages from one repository to another, please? I like the idea of building packages in an isolated repository, testing them there, and only once happy, transferring them to the 'production' repository in one fell swoop. |
Also see the https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory But see my notes in #16 (comment) about the current lack of atomicity if you need to 'promote' multiple packages at once from one repo to another. |
|
I am a little confused on this one and I think there are two use cases to break down:
The main reason I want to separate these two use cases is because if you, as a developer, are working with multiple recipes you will want to be able to create packages to test things locally before uploading anything to artifactory. In this case I think it's important to allow packages to be mutable because typically things like the packages version (at least in our case) as well as user/channel won't change between these conan create calls, so the packages need to be overwritten in cache or things won't work. Perhaps revisions can solve this but I haven't been able to get this to work well locally and conan sometimes gets confused and doesn't pick the correct package. The second use case is allowing a package to be overwritten in artifactory. This one I think should not be allowed and the idea of making anything already uploaded to artifactory (which by the way, in our case only CI is allowed to do this, no users have upload permissions) immutable I think makes sense. My only real confusion here is what happens to the conan upload --force flag? Can we no longer force upload and overwrite recipes/packages with this proposal or am I missing something? |
Maybe this is a side effect of the current limitation of the Conan cache, that can only contains 1 revision at a time? This is a known problem, as revisions are being bumped out of the cache and replaced with a new one. Yes, indeed, going this way would mean that we need to improve the cache, so it can host multiple revisions simultaneously, and in that way, developers could be doing modifications to packages, creating more revisions without interfering with other projects that are using some given revisions of those packages.
Most likely it means: if the revision you are uploading already exists in the server, remove it, and re-upload (making it the latest revision available). Would be necessary only for extreme cases, to fix something that is broken, as the revisions themselves should allow for a very efficient upload flow (if the revision is in the server no need to do anything, no need to compress/zip files, no need to check checksums of .tgz, as was being done for old V1 without revisions) |
Thank you for the clarification! If this is the case, I think this is something that may need to be fixed, or a work around in place as part of conan 2.0. Being able to develop multiple recipes locally at the same time, with complex interdependencies is critical for us. One key problem we have always had, that is similar to this is that because nothing in cache is changing as we locally change code and run a new conan create command, using build=missing doesn't pick up the change and so changes don't propagate locally without essentially clearing the cache out. Perhaps this change can address this somehow by always creating a new revision in cache that conan recognizes and propagates to other dependencies |
yes, I think a Conan cache that can store multiple revisions for the same recipe would allow that flow, and the |
|
I'm just curious about using packages that have local modifications in cache. Of course that this is not something that should be done, but can often simplify cross-package debugging. For example:
I know that the official Conan way of doing that is:
However, this is very time consuming, as creating package can be quite slow when lots of headers need to be copied (e.g. when fixing bugs in boost or eigen) - it's much faster to edit directly in cache and then copy the edits back to the repository once finished. This has nothing to do with servers nor with how conan works - I'm just curious that if the package revision will be calculated based on package's source, will the application be able to consume the |
Local modifications in the cache will always be forbidden and leading to undefined behavior, binary incompatibilities and loss of data. We are working towards a better experience doing local development, if you are editing a source file and want to test it from downstream, you need to put it in |
I like that. Currently, putting packages into editable mode is a lot of hassle and not practical for most use-cases (especially when I need to test different platforms (e.g. iOS, Android, Emscripten, MacOS) in parallel). By exporting the package into local cache I at least have the chance of properly testing the Yes, I know about I am looking forward to the ideas and proposals for making local cross-package development easier. |
|
This comment is interesting, particularly about needing to manually map from SCM branches/tags to users/channels. We've discussed this internally, as we would like to make a closer association with say, long-lived feature branches and how to thus associate them with packages created so references both don't collide, and are identifiable. Also, recipe revisions seem to follow a linear history, so don't allow for branching in the SCM sense. I don't see a response in the conversation about whether Conan package references/revisions can be made aware (even if opt-in) to SCM branching/tagging workflows. Has there been any thoughts on this possibility? |
This is what we are doing in ConanCenter already: we are mapping every branch/PR to a repository in Artifactory. We put the binaries of that branch there, to not mix them with the production ones. As it might be difficult (Artifactory repo creation permissions) for some teams, it is also possible to have a temporary "tmp" or "builds" repository, and associate every branch/PR with a lockfile. This is what we are doing in the CI/CD examples in the docs and very soon in the CI/CD training. |
|
@memsharded thanks for the response.
Could you provide a link to the docs referred to, please? My Google-fu is failing to find them. |
|
Yes, it is in this section: https://docs.conan.io/en/latest/versioning/lockfiles.html, more specifically the subsection: https://docs.conan.io/en/latest/versioning/lockfiles/ci.html |
|
We are merging as approved this proposal, with some modifications to take into account the feedback received. Check the last commits about it:
Thanks very much all for all the feedback, we will be opening new proposals soon! |
|
We use the
|
|
Hi @climblinne Can you clarify what you mean with The complete "coordinates" of a given binary package containing the artifacts, headers, libs, etc will be |
Packages and recipes, identified by their complete reference including the revision, all artifact bare file contents (conanfile.py, source files, compiled libraries and executables, etc) stored in the Conan cache and in servers are always immutable.
So far, in Conan 1.X packages and recipes are mutable without revisions and there are corner cases, even with revisions, in which the immutability is not achieve. This PR proposes to define all stored recipes and packages as immutable (which the already approved proposal of using revisions greatly help). Please read carefully the proposal and looking forward your feedback.