Hi,
in our company we are currently using Hex repositories hosted locally in a private data center.
After upgrading the hex tool to version 2.1.0 / 2.1.1, we do not have the ability to download private packages from other repositories besides the main hex.pm repo.
$ mkdir hex_repo && cd hex_repo;
$ openssl genrsa -out repo.pem 4096
$ mix hex.registry build public --name=locker_hex --private-key=repo.pem
Create sample package
$ mix new sample
with mix.exs
defmodule Sample.MixProject do
use Mix.Project
def project do
[
app: :sample,
version: "0.1.0",
elixir: "~> 1.17",
start_permanent: Mix.env() == :prod,
description: "Example lib to locally test the local hex app",
package: package(),
deps: deps()
]
end
# Run "mix help compile.app" to learn about applications.
def application do
[
extra_applications: [:logger]
]
end
# Run "mix help deps" to learn about dependencies.
defp deps do
[
{:ex_doc, ">= 0.30.0", only: :dev, runtime: false}
]
end
defp package do
[
licenses: ["Apache 2.0"],
links: %{}
]
end
end
Host it with php -S localhost:8000 or provided Erlang code erl -s inets -eval 'inets:start(httpd,[{port,8000},{server_name,"localhost"},{server_root,"."},{document_root,"public"}]).' or python simple server etc.
21:28:00.079 [error] GenServer Hex.Registry.Server terminating
** (Mix.Error) Fetched deprecated registry record version from repo locker_hex. For security reasons this registry version is no longer supported. The repository you are using should update to fix the security reason. Set HEX_NO_VERIFY_REPO_ORIGIN=1 to disable this check.
(mix 1.16.2) lib/mix.ex:580: Mix.raise/2
(hex 2.0.6) lib/hex/registry/server.ex:354: Hex.Registry.Server.write_result/4
(hex 2.0.6) lib/hex/registry/server.ex:218: Hex.Registry.Server.handle_info/2
(stdlib 5.2) gen_server.erl:1095: :gen_server.try_handle_info/3
(stdlib 5.2) gen_server.erl:1183: :gen_server.handle_msg/6
(stdlib 5.2) proc_lib.erl:241: :proc_lib.init_p_do_apply/3
# (...)
defmodule Whatever.MixProject do
use Mix.Project
def project do
[
app: :whatever,
version: "0.1.0",
elixir: "~> 1.14",
start_permanent: Mix.env() == :prod,
deps: deps(),
hex: hex()
]
end
# Run "mix help compile.app" to learn about applications.
def application do
[
extra_applications: [:logger]
]
end
# Run "mix help deps" to learn about dependencies.
defp deps do
[
# {:dep_from_hexpm, "~> 0.3.0"},
# {:dep_from_git, git: "https://github.com/elixir-lang/my_dep.git", tag: "0.1.0"}
{:sample, "~> 0.1.0", repo: :locker_hex}
]
end
defp hex() do
[
# unsafe_registry: true,
no_verify_repo_origin: true
]
end
end
Hi, in our company we are currently using Hex repositories hosted locally in a private data center.
After upgrading the hex tool to version 2.1.0 / 2.1.1, we do not have the ability to download private packages from other repositories besides the main hex.pm repo.
We observed the same errors in:
Steps to reproduce
and download latest hex
with mix.exs
Host it with
php -S localhost:8000
or provided Erlang codeerl -s inets -eval 'inets:start(httpd,[{port,8000},{server_name,"localhost"},{server_root,"."},{document_root,"public"}]).'
or python simple server etc.Add repo to local hex
Errors
With no HEX_NO_VERIFY_REPO_ORIGIN env
With HEX_NO_VERIFY_REPO_ORIGIN=1
Error from our custom registry with hex_core lib: same
Error from Artipie: https://github.com/artipie/artipie/issues/1464
Current workaround
Downgrade hex to 2.0.0-2.0.6
This can be related to: https://github.com/hexpm/hex/issues/1029
With hex 2.0.6 downloading deps from private repos is working without issue.
Classic project with mix.exs:
works too with
mix deps.get