fix(version-age): prevent AttributeError when attrs is null#306
fix(version-age): prevent AttributeError when attrs is null#306edge-delta[bot] wants to merge 8 commits into
Conversation
Add package for the Haskell Language Server (HLS), the official LSP implementation for Haskell. Builds from source using GHC + Cabal with dynamic linking, copying the binary and all required shared libraries via ldd dependency resolution. - Source: GitHub tag 2.14.0.0 with automatic extraction - Build deps: base, cabal, ghc - Runtime deps: glibc - Network access enabled for cabal dependency index updates - Includes standalone version check test
A non-blocking pull_request check that, for each changed packages/*/build.ncl, resolves the upstream release date (attrs.released_at override -> GitHub releases/tags -> ftp.gnu.org Last-Modified -> unknown), computes age, and posts a job-summary table flagging anything younger than a 7-day reference (the #20 minimum-soak criterion). Report-only and additive: contents:read, no secrets, never fails the job, and MUST be kept off branch-protection required checks. Its high-value output is the live census of which packages have no derivable date and need attrs.released_at. The attrs.released_at schema (minimal) + example + minimum_version bump are a deliberate, deferred follow-up gated on sizing the backfill (see #20); the script already handles released_at's absence gracefully, so this lands standalone. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The ~82 no-source_provenance packages (toolchains, X11 libs, pinned binaries)
still have an http(s) source tarball -- so generalize the GNU-specific
Last-Modified HEAD to any source URL ("date on the file"). New tier 4 (after
GitHub/GNU, before UNKNOWN), and a fall-through fallback for GitHub/GNU packages
whose tag/tarball didn't resolve. (Repology was evaluated and dropped -- its API
exposes versions but no release dates.)
Last-Modified is availability/upload time, not strictly upstream release; close
enough for a soak gate, and dwell (git time) backstops it. http(s) only; the URL
is taken whole from the spec (no SSRF-via-version), with a code comment flagging
the fork-PR HEAD surface for the reviewer.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Running the resolver over the full catalog (373 pkgs) surfaced two real
bugs that would have errored or under-resolved the live check:
1. github_date crashed on tags-only repos: `git/refs/tags/{t}` (plural)
returns a LIST of prefix-matching refs, and the code called `.get` on
it -> AttributeError. Switch to singular `git/ref/tags/{t}` (one
object) and guard against a list anyway, accepting only an exact match.
2. source_url read the wrong key: source deps carry their fetch spec
under `from` ({type, url, sha256}), not a flat `url`, so the new
source-URL tier matched nothing. Read `from.url` (tolerate flat shape).
Census effect: dated 229 -> 263 / 373 (the source-URL fix reclaimed 34
http(s)-sourced packages); 0 runtime errors across the catalog.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Probed all 20 dateless-but-has-provenance packages against their real
upstream (GitHub/GitLab tags APIs, GNU ftp listings) and taught the
resolver the formats found, instead of guessing:
- candidate_tags: keep the historical 8 forms (no regression) + add
repo-derived families (bun-v{v}, varlock@{v}, lib-stripped fuse-/
xkbcommon-) and a per-repo override map for bespoke schemes
(R_2_7_5, REL_18_4, core-8-6-16, V_10_3_P1, llvmorg-, version-,
rust-v, gopls/v, cabal-install-v, lcms).
- gnu_date: try flat + nested per-version dir (gcc lives in
/gnu/gcc/gcc-X/) + aliased project dir (libidn2 under /gnu/libidn/).
- new self-dated tier: versions carrying a trailing YYYYMMDD (ncurses
weekly snapshots, other Dickey projects) self-date with no network.
Census effect (full catalog, live): dated 263 -> 279 / 373; the 20
fixable resolver-misses drop to 3 (libsvtav1=GitLab, ngspice=SourceForge,
linux_headers=stable-tree-in-gregkh/linux) which need new host tiers.
Hardening (from an adversarial review the census motivated):
- _curl_head_date shared helper: https-only with --proto/--proto-redir
=https + bounded redirects (close the fork-PR SSRF/downgrade surface),
and validate the FINAL hop is 2xx so an error page's stale
Last-Modified can't yield a bogus "release date" (this removed
libx265's 403-page date). Naive datetimes treated as UTC.
- gnu_date now follows redirects (was curl -sI, missed 302s).
- source_ext reads nested from.url (same bug class as the prior two)
and strips ?query before the ext match; add zst.
- gh_json: add a 30s timeout (was unbounded).
- md_cell: escape |/newlines/backticks in the summary table + unknown
list (untrusted build.ncl -> GITHUB_STEP_SUMMARY injection).
- by_name skips non-string names (unhashable -> crash guard).
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Edge Delta AI Teammates seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
5ed2833 to
fdc9262
Compare
6cac883 to
cf7814e
Compare
|
Thanks so much for this, and for digging into our packaging — version_age_report.py really does crash on a null attrs value (get("attrs", {}) returns None) — a genuine one-line bug. 🙏 We're closing this in favour of small, focused internal fixes: we've distilled it, along with your other PRs, into #353, which tracks the underlying findings as actionable items. This PR bundled a number of unrelated package changes and overlapped with others, and we keep changes small and focused per CONTRIBUTING — but the insight is captured and we'll land the fix on our side. Genuinely grateful for the contribution — please don't let this discourage smaller, focused follow-ups. 🙏 |
Summary
This pull request resolves a potential crash in the
version_age_report.pyscript where the script can raise anAttributeError: 'NoneType' object has no attribute 'get'if a package'sattrsfield isnullin the catalog dump.Related issues
Resolves a potential runtime crash in the version age monitoring system.
Changes
.github/scripts/version_age_report.pyto usepkg.get("attrs") or {}instead ofpkg.get("attrs", {}). This correctly handles packages where the"attrs"key exists in the JSON dictionary but its value isnull(None), falling back to an empty dictionary rather than attempting to call.get()on aNoneType.Checklist
min checkpasses for the affected packages/harnesses.min patched-build <name>succeeds for any package I added or modified.Notes for reviewers
The fix has been verified locally using a simulation of a mock package with
nullattributes:Previously, this caused an unhandled traceback/AttributeError. With this fix, it resolves safely to
UNKNOWNand exits with code 0 as designed.This pull/merge request was created by Edge Delta AI Teammates — see #code-issues for the original conversation.