-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue in composer.lock
generation ?
#11850
Conversation
deb1fa3
to
2e0265b
Compare
2e0265b
to
f363837
Compare
composer.lock
generation for path
based package ? composer.lock
generation ?
6bad807
to
63df496
Compare
I'm not sure I grasp why the dist type changes, but I can see if it changed then yeah maybe we should not update it.. but then I'd still update the source reference I think. So probably need to make only the dist updates conditional on having the same dist type. If the dist type changed we should probably also just call setSourceReference instead of setSourceDistReferences to ensure we leave the dist reference alone. |
Nice, glad this has been recognized as a bug. Now, do you think we should do the following? $packageDist = sprintf(
'%s%s%s',
$package->getDistSha1Checksum(),
$package->getDistType(),
$package->getDistUrl()
);
$presentPackageDist = sprintf(
'%s%s%s',
$presentPackage->getDistSha1Checksum(),
$presentPackage->getDistType(),
$presentPackage->getDistUrl()
);
if ($presentPackage->getSourceReference() && $presentPackage->getSourceType() === $package->getSourceType() && $presentPackageDist === $packageDist) {
// ... rest of the code
} |
This facilitate the reading of the code and foster a better understanding of the business logic
63df496
to
0708e17
Compare
(just rebased since you fixed the CI) edit: looks like it's not fixed yet :( |
no. Because if the dist reference changes, the url will likely be different, and the sha1 as well, so this does not mean anything. |
My idea was to check if anything has changed in the But OK fair enough. Is there left to do in here? |
I confirm that the implemented changes fixes the issue. |
…ackage to ensure we keep all metadata intact, fixes composer#11787
1372f2e
to
efa03f9
Compare
@naderman can you please review the approach here? Most important is the last commit. It switches the mirror update from: "take newest package and reapply the old references to it" to "keep old package but apply newest dist/source urls and mirrors to it". I think it's a more meaningful way to do this, and it should still achieve the desired goal.. But well it carries some risk of unintended consequences for sure. |
That last commit efa03f9 is breaking it again :( |
@Seldaek To avoid overriding what you did in this branch, I've created another branch. It contains a fix that makes this one works again, find it here: drupol#1 Basically, the fix is just that: if ($presentPackage->getDistType() !== $package->getDistType()) {
- return $presentPackage;
+ continue;
} The rest of the changes are minimal, just to remove the call to |
Ok merging this as it fixes other issues and does not break nix more than it already was broken ;) |
Hello,
Today I encountered an unexpected behaviour while attempting to upgrade from version 2.6.6 to 2.7.1. After making a thorough bisect, I pinpointed the introduction of the weird behaviour to this specific commit: 042a8c2 (related to #11787).
Originally, this issue has been found while Composer is used in conjunction with a custom plugin: nix-community/composer-local-repo-plugin. Note, this issue cannot be reproduced (pun intended!) when using Composer < 2.7.
Reproduce the issue with the Composer plugin
What makes this issue complicated is that the core of the problem involves a custom Composer plugin (nix-community/composer-local-repo-plugin), which is essential for illustrating the encountered issue. This plugin plays a critical role in achieving total reproducibility for PHP/Composer-based projects within the Nix ecosystem (introduced in NixOS/nixpkgs#248184).
The plugin works by generating a local Composer repository (https://getcomposer.org/doc/05-repositories.md#composer) from a project's
composer.json
andcomposer.lock
files, including thepackages.json
file, then, update each package'sdist
information incomposer.lock
file to point to the local repository instead. This repository then serves as acomposer
repository type withincomposer.json
. Our objective is to use this plugin to create a stable version of the files that will be of thevendor
directory at the end (using the Composer cache is not a valid option). This stability is crucial for Nix, as it relies on predictable inputs (in this case, thecomposer
repository) to calculate its hashes accurately. The development and implementation of this plugin were motivated by the necessity for predictable outputs to ensure the reproducibility of PHP/Composer based builds... and it was working super fine so far (despite that I wish I could get rid of the plugin one day, ideas are welcome!). The issue emerged following the aforementioned commit, affecting the plugin's operation and, consequently, the reproducibility of our PHP/Composer-based projects. This situation underscores the importance of that small plugin in the Nix ecosystem and the need for a resolution that maintains the integrity of our requirements. Find more details on how to install and use the plugin in the README file of the project.No Nix is needed to reproduce the issue locally, you can reproduce it:
composer global require nix-community/composer-local-repo-plugin
git clone https://gist.github.com/ab25340ea5fa46e3c2f49c1d9ed5eb71.git
run.sh
from that gistReproduce the issue without the Composer plugin
Since many commands are required to reproduce the issue, I've set up a temporary repository at https://github.com/drupol/composer-issue-11850 containing the minimum required file to reproduce the issue. Follow the next steps to quickly reproduce it locally:
git clone https://github.com/drupol/composer-issue-11850
./run.sh
To summarize, this PR contains only 2 commits:
composer.lock
file. I'm still a bit unsure of the proposed fix, this is the reason why I ask you to carefully review this. The fix add a simple checks on$package->getDistType()
but maybe we should do further checks, perhaps we should also compare$package->getDistUrl()
and$package->getDistSha1Checksum()
and if any of those properties have changed. I had a first version implementing that, but I changed it until I have some feedback from you.Please, let me know what you think of that, as I'm willing to fix the issue in Nix and also contribute to making Composer better.
Thanks.