在你的最新的 commit 后使用 Swift Package Manger 的方式引入报错

EFPrefix / EFQRCode

A better way to operate QR Code in Swift, support iOS, macOS, watchOS and tvOS.

https://efprefix.github.io/EFQRCode

MIT License

4.58k stars 487 forks source link

在你的最新的 commit 后使用 Swift Package Manger 的方式引入报错 #162

Open WymanY opened 2 months ago

WymanY commented 2 months ago

检查清单

[x] 我已阅读 README.md，但没找到我需要的信息。
[x] 我已查看已知的问题，但没有相似的提问/请求。

问题描述

在你的最新的 commit 之后，https://github.com/EFPrefix/EFQRCode/commit/97f66a5800dc272206be453ad19604548ff0e0e0#diff-62bd2b94df67e500d0bcc4f14bba20a84ffe68db558b43094b5f464dbafabe3e 使用 Swift package Manger 的方式引入报错。

展开讲讲

具体的报错是这个。

重现步骤

（估计跟最新系统没关系，应该就是你的最新的 commit 后出的问题） Xcode 16.0 Swift 5.5 ，Mac 系统 Sequoia

Kirow-masterpilot commented 2 months ago

Same problem

Revision 97f66a5800dc272206be453ad19604548ff0e0e0 for efqrcode remoteSourceControl https://github.com/EFPrefix/EFQRCode.git version 6.2.2 does not match previously recorded value 2991c2f318ad9529d93b2a73a382a3f9c72c64ce

Kirow-masterpilot commented 2 months ago

Ok, understood the problem. Because there was force-push to the repository that overwrite git history - we have fingerprint mismatch. To solve the issue we need to remove cache and stored fingerprints for this repo.

rm -rf ~/Library/Caches/org.swift.swiftpm
rm -rf  ~/Library/org.swift.swiftpm

or only files related to the repo, but clean all is easier

WymanY commented 1 month ago

Ok, understood the problem. Because there was force-push to the repository that overwrite git history - we have fingerprint mismatch. To solve the issue we need to remove cache and stored fingerprints for this repo.
rm -rf ~/Library/Caches/org.swift.swiftpm
rm -rf  ~/Library/org.swift.swiftpm
or only files related to the repo, but clean all is easier

亲测上面方案好用，但有点好奇的是我在 Xcode 里，使用 Package > Reset Package Cache 这个为什么不起作用，难道 Xcode 本身就没有办法解决这个问题？

Kirow-masterpilot commented 1 month ago

亲测上面方案好用，但有点好奇的是我在 Xcode 里，使用 Package > Reset Package Cache 这个为什么不起作用，难道 Xcode 本身就没有办法解决这个问题？

Safety measure. If Xcode will deal with it automatically - you will never know that someone played with past repo commits. This situation should never happen to open source repo. I don't know what was maintainer thinking when making this update.

In general imagine situation that some criminal have taken control over some popular open source project, and then embed some malicious code or script somewhere inside commit that was 3 years ago and then made force push. What will be the chance that user will search and investigate what exactly were modified and if it safe? General user will make this rm -rf and continue to use as-is or simply remove repo from dependencies.

marcoboerner commented 2 days ago

I agree, this should not be done on the main or release branch. If you really need to rebase and/or force push, better open a new branch and merge the changes into the main branch and add a new tag. Took me ages to figure this out! :)