-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maybe inconsistent duplicate check in record_artifacts_as_dict
#601
Comments
I agree with adding a check at the point marked in the first snippet. I think, however, a warning may not suffice. Are there scenarios where an overwrite is fine and it's not an error? I can't think of a valid use case and I prefer to error rather than (relatively) hide away the behaviour. If the warning is missed, the metadata is less complete than the user thinks, which I'm not a fan of. |
@adityasaky @lukpueh Did you two want to move forward with erroring instead of warning? |
@adityasaky is right, that this shouldn't go undetected, so erroring out does make sense. Not sure, which error to use though. |
@lukpueh I'm all for being explicit and clear when the option is available. Overkill? Yea, I see it. A better user experience? I think so. |
Let's introduce a new exception and replace PrefixError with it when we're ready for in-toto 3.0.0, a generic error for any artifact collisions. |
record_artifacts_as_dict
helper called fromrunlib.in_toto_*
interface functions returns a dictionary of artifact URIs with their hashes. The hashes are generated in batches per artifact resolver and combined here:in-toto/in_toto/runlib.py
Lines 182 to 187 in 4581e4b
Currently, there is no URI duplicate check when combining these batches. This may not be necessary, because artifact URIs are usually distinguished by their schemes, but artifact resolver implementations may decide to arbitrarily mangle the URIs prior to returning them. Relying on a resolver to not return URIs that we already have is brittle.
At the same time, we do raise on duplicate URIs as a result of file mangling (lstrip) in
FileResolver.hash_artifacts
:in-toto/in_toto/resolver/_resolver.py
Lines 116 to 121 in 4581e4b
Expected behaviour
A user should consistently be informed, if, when using an interface function, which record artifacts, the results may not be as expected, because of duplicate URIs. IMO a warning should be enough.
The text was updated successfully, but these errors were encountered: