-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SHA256 mismatch on homebrew micromamba installation #2057
Comments
thanks for the note. The SHA256 mismatch is thrown by |
Ah, OK, I think I know whats going on (just tried it locally):
this seems to always fetch the latest version but it doesn't take into account the build number. So when we bump the build number (which we just did), the SHA256 goes out of sync :/ I don't have a good solution for this right now. Maybe the |
This would be @YYYasin19 and me. The version bumping for micromamba in brew can be done with |
@pavelzw i think maybe in brew you could also speak directly to the Anaconda API (instead of micro.mamba.pm) and get the SHA sum from there? I unfortunately don't know too much about brew |
If iI'm not mistaken, you need to provide the SHA always directly in the cask code, see here. I don't think there is a way to provide an alternative SHA source other than the cask code. |
Homebrew/homebrew-cask #134447 should fix this issue. |
I'm not too sure either, I think bumping the cask for every build instead of every version is the most straight forward solution. |
The build-nr increases happen in conda-forge/micromamba-feedstock. I don't think we should touch the CI there... |
Jep, you're right, but maybe we can use something like the brew formula github action which has a |
I'm not too familiar with the conda-forge process, how often does a build number increase occur? |
Not that often... Usually for build fixes or when a new architecture is added. |
We could do a scheduled action in this repo that updates brew... I would leave the version as-is since it makes more sense semantically imo. |
Hi. Homebrew maintainer here .I was going to approve the PR in |
Does livecheck extract the version or just verify that it is, in fact, different? |
It's pretty versatile. We can have it pull any text we can reliably regex. So if you have somewhere we can pull version & build from we can use that. |
The current livecheck url already has version and build nr in it. The version is here |
Does something like this (in cleaner, maybe) work? |
Please take a look at the commit I just pushed. It should take care of this issue. |
Looks good, thanks! |
PR is merged. Thanks all. |
@beatslikeahelix can you now try again after updating the taps? If it works you can close the issue. |
@pavelzw Successfully installed! Thanks so much everyone, this was resolved super fast. |
This broke also |
There are no changes to published tarballs. You're just not guaranteed that |
Any "stable" URL downstream packages can use? |
Well you'll always want to use the latest build. I don't know if micro.mamba.pm supports specifying a build number. Although that would open another problem of knowing what's the latest build version. Maybe can you use micromamba/conda-forge to determine the latest build and also download the files? |
@giordano sorry about that. I can Post the steps that the micromamba server does (use the anaconda api to find the latest version and then redirect there). The problem is that our link doesn't take into account the build number. The previous version tarballs still exist with unchanged sha, they have a different build number though. |
Hello there, I'm one of the Julia developers that is impacted by this, and I thought I should explain a bit why we want stable links. The way Julia's package manager works is to record a manifest with hashes on all downloaded resources, so that when you come back later you can "instantiate" your project manifest and get bit-for-bit identical versions of all of your software for maximum reproducibility. This reproducibility extends not only to Julia packages, but also to the binary dependencies that we serve. We really try hard to provide reproducibility up to the extreme of shipping things like CUDA userspace libraries, Cairo/GTK stacks, etc... While a big initial lift, this has worked out quite well for us, and has resulted in the community making wide use of tooling that rejects tarball URLs that change their contents. An example of how this looks in practice is this Artifacts.toml file, which expects to, at any time in the future, be able to download that URL and verify the hashes, to ensure perfect reproducibility. I should note that we are definitely not the only people to perform this kind of hash checking, most distribution packages (Debian, Ubuntu, Homebrew, etc...) will encode some form of hash verification on upstream releases to prevent malicious actors from spreading compromised source tarballs through their distribution channels. Is there a URL that we can pull an exact version down from, that is guaranteed to never change? Something like |
I completely get the need for stable URLs and checking hashes. I need to check if the Anaconda API provides something that would allow us to provide more stable URLs. If not, we can change the server to also provide URLs derived from the repodata.json which we can make more stable (proper link to the tarball). You could also capture the redirect from the current URL that you are using (it will redirect to the unique tarball that is going to be stable). |
How are you folks keeping up to date with the latest versions? Just asking because you should also be looking for new builds of the same version, not just new versions. Does the Julia package ecosystem have the notion of build numbers? |
Is that redirect URL going to be stable? That is the simplest and most expedient method for us.
Updating versions of dependencies is always an explicit step. Julia itself uses more-or-less semantic versioning for its own packages, but in this case we're not using a Julia package, we're just treating the mamba release as a binary artifact that gets downloaded for use within a Julia package. So it's up to the Julia package author to update to a new mamba tarball when they decide there is a bug/missing feature. If they don't update, we will keep on installing the same bits.
Officially, no. Packages are only just |
I'd also point out that |
I think that one should be the correct one but in this particular case I suggest to use the latest build. Those files are immutable. |
@giordano the link you posted looks like it should work. There is also the link that mamba would use to download a package, which is The Where version is either The server just redirects with a 301 to the selected version. |
Sorry guys, just a heads-up, I merged another PR that increments the build number :( |
Hi everyone, are there any open problems on the Julia packaging side that we can help fix? |
I think the URLs shared above by @wolfv should be good for us, as long as they're persistent 🙂 Thanks! |
SHA256 mismatch when installing micromamba 0.27.0-2 on a fresh installation of Monterey via homebrew. Everything else brew related seems to be working correctly. Successfully installed a few days ago so not sure what's changed.
The text was updated successfully, but these errors were encountered: