GitHub release file root folder name structure changed for some ROS project releases

[machinekoder]

We have a problem for a couple of days. Our rosdep step for building ROS on Debian Stretch fails since a couple of days. Further investigation revealed that this might be a bigger problem with the GitHub API.

In particular I'm talking about the error ERROR [vcstools] Tarball download unpack failed: u"bond_core-release-release-kinetic-bond-1.8.1-0 is not a subdirectory with contents in members [u'bond_core-release-release-kinetic-bond']"[/vcstools] and similar.

This resuts in the overall rosdep error: ERROR in config: Error processing 'bond_core/bond' : [bond_core/bond] Checkout of https://github.com/ros-gbp/bond_core-release/archive/release/kinetic/bond/1.8.1-0.tar.gz version bond_core-release-release-kinetic-bond-1.8.1-0 into /root/ros_catkin_ws/src/bond_core/bond failed.

Taking a look at https://github.com/ros-gbp/bond_core-release/archive/release/kinetic/bond/1.8.1-0.tar.gz we can see that the directory contained in the tar.gz file generated by GitHub contains a folder named bond_core-release-release-kinetic-bond but vcstools expects bond_core-release-release-kinetic-bond-1.8.1-0.

Since I can't go back in time, I can't verify that the directory naming scheme has changed, but looking at the source code it looks like it has: https://github.com/vcstools/vcstools/blob/master/src/vcstools/tar.py#L121

Can someone please confirm that this is the problem. If so, this is very urgent, as almost all rosdep builds will fail.

Interestingly, other downloads such as https://github.com/ros-gbp/vision_opencv-release/archive/release/kinetic/cv_bridge/1.12.7-0.tar.gz, for example, seem to contain the old naming scheme.

[tkruse]

Those tars are created and uploaded by our release process, github has no control over the contents.
You can see the list of releases e.g. here: https://github.com/ros-gbp/bond_core-release/tags?after=release%2Fkinetic%2Fsmclib%2F1.8.1-0

It would seem to me that only kinetic-bond-1.8.1-0 is flawed in the way you describe. So I suggest closing this ticket here as invalid, and opening a ticket instead at https://github.com/ros/bond_core about this specific release, and whether it should be deleted / repaired.

[mjcarroll]

Mikael is no longer maintaining, I'll take a look.

[mikaelarguedas]

This looks very similar to #141 (comment) are you using python3 vcstools?

It looks like the fix from #141 has not been released yet so you may have to build from source.

wget https://github.com/ros-gbp/bond_core-release/archive/release/kinetic/bond/1.8.1-0.tar.gz works fine on my machine so I doubt it's related to the bond package itself

[wjwwood]

github has no control over the contents.

This is a reasonable thing to assume, but actually IIRC GitHub dictates the folder name in the archive based on the branch and stuff. As GitHub generates that archive not us, it's just a zip of a specific branch.

[zultron]

I'm seeing the same thing. It appears that something changed recently in the bond_core and catkin releases. The release date for "release/kinetic/bond/1.8.1-0" in the @tkruse's link from #147 (comment) is Nov 3, 2017, long before this issue cropped up within the last week. However, the tarball file structure changed in the bond release only, whereas other releases in the bond_core repo remain the same. See here:

• The bond_core release has a version (tag name + release?) appended to the directory, same as bondcpp, bondpy, smclib releases, same as a week ago:

$ wget -q  https://github.com/ros-gbp/bond_core-release/archive/release/kinetic/bond_core/1.8.1-0.tar.gz -O - | tar tzvf - | head -1
drwxrwxr-x root/root         0 2017-11-02 23:14 bond_core-release-release-kinetic-bond_core-1.8.1-0/

• But inconsistently, the bond release does not append a version, changed since a week ago:

$ wget https://github.com/ros-gbp/bond_core-release/archive/release/kinetic/bond/1.8.1-0.tar.gz -q -O - | tar tzvf - | head -1
drwxrwxr-x root/root         0 2018-10-02 19:39 bond_core-release-release-kinetic-bond/

• This also changed in the catkin release:

$ wget https://github.com/ros-gbp/catkin-release/archive/release/kinetic/catkin/0.7.11-0.tar.gz -q -O - | tar tzvf - | head -1
drwxrwxr-x root/root         0 2018-08-07 00:09 catkin-release-release-kinetic-catkin/

And looking at what I just pasted, I also feel curious that the creation dates on the two releases from the bond_core repo differ by almost a year (but still not recently enough to explain this problem), even though the versions are identical.

[tkruse]

Not so much documentation about the github process at https://developer.github.com/v3/repos/releases/#create-a-release. People claim github uses the equivalent of a standard git command:
https://news.ycombinator.com/item?id=11494997

git archive -o project-0.5.tar.gz --prefix project-0.5/ v0.5 

Though github does not actually use git I believe.
If the equivalent of the --prefix argument is controlled by github, then this might be a github bug.

[tkruse]

Note that the date on the github releases page seems to be the tag was created, not necessarily the date the release tarball was created.

Another weird thing. on the page I linked, https://github.com/ros-gbp/bond_core-release/tags?after=release%2Fkinetic%2Fsmclib%2F1.8.1-0
I can click on the links like this:
https://github.com/ros-gbp/bond_core-release/releases/tag/release%2Fkinetic%2Fbond_core%2F1.8.1-0

but for the broken release, though it has a tar and zip, if I click the link "release/kinetic/bond/1.8.1-0 ", I get 404
https://github.com/ros-gbp/bond_core-release/releases/tag/release%2Fkinetic%2Fbond%2F1.8.1-0

[zultron]

In total, 34 of the 263 GitHub releases entries in our .rosinstall file needed the -${TAG}-${REL} version suffix removed from the version:, so this is more widely spread than the initial report indicates. At least we have a workaround until we get to the bottom of this.

Here's the list of sources we had to change:

https://github.com/ros-gbp/bond_core-release/archive/release/kinetic/bond/1.8.1-0.tar.gz
https://github.com/ros-gbp/catkin-release/archive/release/kinetic/catkin/0.7.11-0.tar.gz
https://github.com/ros-gbp/class_loader-release/archive/release/kinetic/class_loader/0.3.9-0.tar.gz
https://github.com/ros-gbp/geometry2-release/archive/release/kinetic/tf2/0.5.17-0.tar.gz
https://github.com/ros-gbp/geometry2-release/archive/release/kinetic/tf2_eigen/0.5.17-0.tar.gz
https://github.com/ros-gbp/opencv3-release/archive/release/kinetic/opencv3/3.3.1-0.tar.gz
https://github.com/smits/orocos-kdl-release/archive/release/kinetic/orocos_kdl/1.3.1-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/mk/1.13.6-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/ros/1.13.6-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/rosbash/1.13.6-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/rosboost_cfg/1.13.6-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/rosbuild/1.14.3-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/rosclean/1.14.3-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/roslang/1.14.3-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/roslib/1.14.3-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/ros_comm/1.12.12-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosbag/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosbag_storage/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosconsole/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/roscpp/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosgraph/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/roslz4/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosmaster/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosout/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosparam/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rospy/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosservice/1.12.12-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/xmlrpcpp/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm_msgs-release/archive/release/kinetic/rosgraph_msgs/1.11.2-0.tar.gz
https://github.com/ros-gbp/roscpp_core-release/archive/release/kinetic/cpp_common/0.6.9-0.tar.gz
https://github.com/ros-gbp/roscpp_core-release/archive/release/kinetic/roscpp_core/0.6.7-0.tar.gz
https://github.com/ros-gbp/roscpp_core-release/archive/release/kinetic/roscpp_serialization/0.6.9-0.tar.gz
https://github.com/ros-gbp/roscpp_core-release/archive/release/kinetic/roscpp_traits/0.6.9-0.tar.gz
https://github.com/ros-gbp/roscpp_core-release/archive/release/kinetic/rostime/0.6.9-0.tar.gz
https://github.com/ros-gbp/roslint-release/archive/release/kinetic/roslint/0.11.0-0.tar.gz

[zultron]

Another weird thing. on the page I linked, https://github.com/ros-gbp/bond_core-release/tags?after=release%2Fkinetic%2Fsmclib%2F1.8.1-0
I can click on the links like this:
https://github.com/ros-gbp/bond_core-release/releases/tag/release%2Fkinetic%2Fbond_core%2F1.8.1-0

but for the broken release, though it has a tar and zip, if I click the link "release/kinetic/bond/1.8.1-0 ", I get 404
https://github.com/ros-gbp/bond_core-release/releases/tag/release%2Fkinetic%2Fbond%2F1.8.1-0

Good find. That seems like something so clearly broken on GitHub's side that maybe it's time to bring this up with them.

[machinekoder]

I have sent a support request to GitHub. Until we have an answer (or fix) from GitHub, we can use the workaround proposed by @zultron.

[tkruse]

@machinekoder Do you have a public link for your request?

[machinekoder]

@tkruse Unfortunately not, I used the support request contact form.

[zultron]

Today the list has changed. These tarballs have newly lost their version:

https://github.com/ros-gbp/genmsg-release/archive/release/kinetic/genmsg/0.5.10-0.tar.gz
https://github.com/ros-gbp/ros-release/archive/release/kinetic/rosunit/1.14.3-0.tar.gz

And these tarballs have gained them back:

https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/ros_comm/1.12.12-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosbag_storage/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/roscpp/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/roslz4/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rosout/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/rospy/1.12.13-0.tar.gz
https://github.com/ros-gbp/ros_comm-release/archive/release/kinetic/xmlrpcpp/1.12.13-0.tar.gz

[machinekoder]

Interesting update: I'm now in contact with the GitHub support.

Btw. try to download the file from here: https://github.com/ros-gbp/bond_core-release/releases/tag/release%2Fmelodic%2Fbond%2F1.8.1-0
vs directly https://github.com/ros-gbp/bond_core-release/archive/release/kinetic/bond/1.8.1-0.tar.gz
and you will see the folder has a version suffix vs not.

[zultron]

Interesting update: I'm now in contact with the GitHub support.

Any updates? I've had to update our .rosinstall file once again (though just one change this last round).

Btw. try to download the file from here: https://github.com/ros-gbp/bond_core-release/releases/tag/release%2Fmelodic%2Fbond%2F1.8.1-0
vs directly https://github.com/ros-gbp/bond_core-release/archive/release/kinetic/bond/1.8.1-0.tar.gz
and you will see the folder has a version suffix vs not.

The difference there is melodic vs. kinetic. The equivalent direct download link for melodic does have the versioned folder.

I do see that the kinetic v. 1.8.3-0 release has a versioned folder. When I get time, I'll check if updating everything fixes the issue, although if it did I'd still feel suspicious whether this problem is really solved or not.

[machinekoder]

Interesting, now the release link is completely dead. The direct link still works.

[machinekoder]

But it's now missing the release version as well https://github.com/ros-gbp/bond_core-release/archive/release/melodic/bond/1.8.1-0.tar.gz

[jveitchmichaelis]

For another perspective, this is making it virtually impossible to deploy ROS (Kinetic, in my case) using Docker, using the steps in the main tutorial. It's pot luck every day which packages download correctly. I managed to build successfully a few days ago, but now trying to build a new container, bond_core fails as described.

Odd though, the direct links (my script is trying 1.8.3-0) posted here work, but I get a checkout failed when building.

https://github.com/ros-gbp/geometry2-release/archive/release/kinetic/tf2_msgs/0.5.20-0.tar.gz is also failing during install, but that link works for me in a browser (and using wget on the host system).

[tfoote]

If this is hitting you too, please politely reach out to github support as well to let them know that it's effecting you. This non-deterministic archive downloads are not something that we have any control over.

[zultron]

@tfoote Good idea. I reported this at https://github.com/contact. Here's the problem report I submitted, in case it helps others in filing their own report.

We've been seeing a problem in GitHub Releases in the last month where after unpacking the tarball, the top-level directory name has changed in the same release downloaded just a week earlier. These are old releases that should not change.

An example is the ros-gbp/bond_core repo bond_core v. 1.8.1-0 release, directly downloaded from here. For the last year, the tarball unpacks into the directory bond_core-release-release-kinetic-bond_core-1.8.1-0/, but a few weeks ago it began unpacking into catkin-release-release-kinetic-catkin/, without the release version appended.

This change isn't consistent, since other ros-gbp/bond_core v. 1.8.1-0 releases are unchanged, with the version still appended to the base directory.

We have found this problem not just in ros-gbp/bond_core, but in dozens of releases from several repos.

New cases crop up every time we run our scripts, every few days or so. In a few cases, the base directory version was dropped, and a few days later re-added!

Others are seeing the same problem. There's more discussion and details in an issue at thevcstools/vcstools repo here.

Thank you for prompt attention to this problem.

[machinekoder]

For the time being, you can use this script to fix the problem temporarily. https://gist.github.com/machinekoder/49ff3aa0734b4b2ec99ec86586cb40c1

[tkruse]

Issues could also be opened in either of these two locations:

• https://github.com/holman/ama
• https://github.com/isaacs/github/issues

this would enable the github user community at large to communicate about this issue (voting and workarounds), as opposed to this vcstools ticket

[machinekoder]

Or email to support@github.com

[machinekoder]

@zultron @tkruse I felt so free: isaacs/github#1483

[machinekoder]

Update: The issue has been escalated to the GitHub Engineering Team.

[gavanderhoorn]

I just closed vcstools/wstool#130 as it was a duplicate of the issue being discussed here.

At least two people have reported this on ROS Answers, and I've run into it myself as well.

Thanks @machinekoder for taking this up with GH.

[zultron]

Almost forgot, on 02/08 got this from Stacy Burns, support@github.com:

Hey Jon! We've received a few other reports from the community about this and we're currently looking into it.

Sorry for the trouble!

Cheers
Stacey

[gavanderhoorn]

@machinekoder wrote:

1. As far as I understand the feature is undocumented.

As mentioned in #149 (comment), I'm not sure this is true.

The Get archive link section in the GH v3 API seems to suggest otherwise.

[tkruse]

The feature of creating tarballs is documented. The detail the name of the root folder inside that tar is not part of that documentation. As least nobody found such a reference so far.

[tkruse]

Also note that I don't remember any rationale for why wstool/rosinstall/vcstools cares about the name of the folder. That would only be useful when a tarball had multiple folders, or as some weird security check. Iirc I did not introduce this behavior, but continued it from what I believe @tfoote originally created.

[chrisl8]

@tkruse This is the part I've been wondering about. Why not just extract the tar and use whatever folder is there. We know that we got the version we asked for based on the URL. The behavior of trying to guess the name ahead of time instead of just using the actual folder name in the tar itself seems odd and prone to trouble to me.

Does anyone know why the code was written this way?

[gavanderhoorn]

@chrisl8 wrote:

We know that we got the version we asked for based on the URL.

do we? That's an assumption. Perhaps wstool tries to make sure that way.

[tkruse]

Possibly the feature helps a bit defending against what's known as tarbombs.http://www.linfo.org/tarbomb.html

Also see https://unix.stackexchange.com/questions/242298

There are 2 issues with GitHub right now. One is that the foldername inside the tar changes over time for the same tar. The other problem is that the foldername may be the same for different tars of the same project, which likely is not what most users want. If you download multiple release tars the same project and extract them, by convention it is reasonable to expect or hope each gets extracted to a different subfolder as this is the safest behavior.

However this is not a formal standard afaik. My first link explains this at the bottom: "Another convenience for users when creating a tarball that contains a program is to give the directory into which the program will be untarred the same name as the program but followed by a hyphen and then the version of the program".
That is what GitHub did so far for years.

[mysablehats]

@machinekoder 's gist workaround worked for me (kinetic-ros_comm-wet build). Just needed to apt install python-sh and, in the script, change the name of the files it reads and outputs (in main at the end) and run the python script after running rosinstall_generator and before wstool init

[gavanderhoorn]

🛎️ ?

[zultron]

bellhop_bell ?

@gavanderhoorn, robust-rosin/robust#227? Yep, same problem. I don't think GitHub has fixed it.

[gavanderhoorn]

I was just curious as to whether anyone on this thread had received any additional info from GH support.

[zultron]

I inquired again, following up on the previous reply from Stacey Burns (pasted above):

Hi there John,

I'm afraid there's no update from engineering yet, but I've let them know you were after a follow up and passed on your example of where people are having to work around this.

When we hear back from them we'll let you know!

Sorry for any frustration this has caused!

Cheers,

Matt R 😸

Hi Stacey,

Any update? We've seen a lot more of this since your last email over two weeks ago. At this point people have been scripting to work around this broken behavior, so while people aren't desperate, there are still new cases, such as this. (Plus it's a shame this has caused so many people so much time!)

John

[mysablehats]

@machinekoder 's gist workaround worked for me (kinetic-ros_comm-wet build). Just needed to apt install python-sh and, in the script, change the name of the files it reads and outputs (in main at the end) and run the python script after running rosinstall_generator and before wstool init

Oh, I thought the fix.py script worked, but it doesn't. Message generation seems botched; also I can't publish from cv_bridge

I posted a question on ros.answers (see https://answers.ros.org/question/316362/sensor_msgsimage-generates-float-instead-of-int-with-python3/), since I have a very convoluted setup, but I believe this is the culprit

[gavanderhoorn]

@mysablehats: I would be very much surprised if the scripts proffered here influence the issues you mention. They only change the way tarball extraction is checked, but do not change any of the files in the archives themselves.

[gavanderhoorn]

Any updates @machinekoder / @zultron?

We're using wstool quite a bit and it seems things have "normalised" again, but it'd be nice if GH could confirm that in some way.

[machinekoder]

@gavanderhoorn Nothing confirmed yet.

[zultron]

I'm working with a new .rosinstall file right now, so while I can't compare with previous results, 7 of 152 tar repos are broken. These are the most current release versions from rosdistro.

[gavanderhoorn]

Hm. The "most current release versions" bit is interesting perhaps.

But still no communication from GH support?

[gavanderhoorn]

Has anyone here ran into any additional problems with GH tarballs?

[oceanusxiv]

I have, the newest version of actionlib similarly has this issue

[zultron]

On a whim, I just tried disabling @machinekoder's workaround, happily running without attention for the last year or so, and it seems that GitHub might have resolved this issue on their side at some point. Yay!

Perhaps we could get confirmation the problem is resolved from some of the folks who also saw this, maybe @jveitchmichaelis or @eric1221bday, and close out this issue.

[gavanderhoorn]

I've never used the workaround from @machinekoder, neither has any of the official infrastructure and we haven't run into the problem for at least 3 quarters of a year.

That would lead me to conclude it's been indeed fixed for quite some time now.

[jveitchmichaelis]

Sure, I'll try rebuilding one of my containers today.

[dirk-thomas]

Closing since the repository is about to be archived: see #166.