Wrong release description for release 0.9.0

[martis42]

The checksum for rules_pkg-0.9.0.tar.gz in the WORKSPACE snippet for https://github.com/bazelbuild/rules_pkg/releases/tag/0.9.0 is wrong. The checksum is actually bcc96ae58d9d61db1a36a13d29e85dc2c1696ecb7997f9a26643ab0971ecb2ef

[aiuto]

That's odd. The mirror is correct, (335632735e625d408870ec3e361e192e99ef7462315caa887417f4d88c4c8fb8) but the github served version is not. I also found the original from the machine I built the release on. That matches the mirror.

I did some examination of the two versions and the mirror one is right. I'll update archive.

[aiuto]

The workspace.resolved and some other unused file got included in the bad version. There were no behavioral changes.

[davidr-bt]

Builds still fail with checksum mismatch error.

[alexeagle]

Did you modify the release after you initially published it? rules_oci is depending on rules_pkg and has the original bcc... hash from the release: https://github.com/bazel-contrib/rules_oci/blob/82d5b6ab077f689485d9631c4744b424be30b7d2/oci/dependencies.bzl#L36

At this point the 0.9.0 release is unreliable because two different hashes have been distributed around the ecosystem.

[alexeagle]

The Bazel Central Registry is also broken now https://github.com/bazelbuild/bazel-central-registry/blob/main/modules/rules_pkg/0.9.0/source.json#L3 (you can convert formats like this: echo bcc96ae58d9d61db1a36a13d29e85dc2c1696ecb7997f9a26643ab0971ecb2ef | xxd -p -r | base64)

Please restore the original release artifact.

[martis42]

Restoring the old version of the artifact might fix downstream projects which already depend on the initial release behavior, but it can't fix the release. If the old version is restored, then there are again 2 non matching artifacts depending on downloading either via the mirror or the Github URL (plus the description only matching one).

Seems to me the only forward path is a new release and hoping all downstream users update to it.

[alexeagle]

the mirror.bazel.build has to be fixed to have an artifact with sha256 bcc96ae58d9d61db1a36a13d29e85dc2c1696ecb7997f9a26643ab0971ecb2ef

A new release is also a good idea, but you'll have endless reports of this breakage since the original artifact was live for nearly two months before being replaced.

[aiuto]

I'll yank 0.9.0 and do a 0.9.1. Most likely on Tuesday, May 2

On Mon, May 1, 2023 at 6:20 PM Alex Eagle @.***> wrote:

the mirror.bazel.build has to be fixed to have an artifact with sha256 bcc96ae58d9d61db1a36a13d29e85dc2c1696ecb7997f9a26643ab0971ecb2ef

A new release is also a good idea, but you'll have endless reports of this breakage since the original artifact was live for nearly two months before being replaced.

— Reply to this email directly, view it on GitHub https://github.com/bazelbuild/rules_pkg/issues/694#issuecomment-1530431633, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXHHHHHEWAURPK4YX3AERDXEAZJHANCNFSM6AAAAAAXOJRYF4 . You are receiving this because you modified the open/close state.Message ID: @.***>

[meteorcloudy]

Re-open until this is resolved properly.

[aiuto]

I made a 0.9.1 and sent a PR to update BCR.

FWIW. I spent some time trying to use gh to script the update. I was close, but ran into authentication headaches, as releases pushes are done from a remote, headless machine, so browser authentication is tricky. I'll come back to that some time later in the quarter.

[aiuto]

But the question of yanking 0.9.0 is open. It seems no-worse to yank than leave as is, because people who explicitly ask for 0.9.0 are failing anyway.

[aiuto]

Waiting on https://github.com/bazelbuild/bazel-central-registry/pull/605