search

r-lib / devtools

Tools to make an R developer's life easier
https://devtools.r-lib.org
Other
2.37k stars 755 forks source link

Test Dependency Packages Out of Snapshot Polluted Installation Repository #2477

Closed ldmax closed 8 months ago

ldmax commented 1 year ago

Dear author,

Our team installed devtools from a snapshot of 2022-08-24. devtools is installed in a central package repository along with other R packages. In order to keep reproducibility or "harmony" of all packages in the repository, all packages should come from the same snapshot.

However, when running tests of devtools, I found it downloading packages AS DEPENDENCIES out of that snapshot. These downloaded packages are of different versions compared to those in the snapshot and polluted the package repository.

Part of log of running tests:

R version 4.2.1 (2022-06-23) -- "Funny-Looking Kid"
Copyright (C) 2022 The R Foundation for Statistical Computing
Platform: x86_64-suse-linux-gnu (64-bit)

R is free software and comes with ABSOLUTELY NO WARRANTY.
You are welcome to redistribute it under certain conditions.
Type 'license()' or 'licence()' for distribution details.

R is a collaborative project with many contributors.
Type 'contributors()' for more information and
'citation()' on how to cite R or R packages in publications.

Type 'demo()' for some demos, 'help()' for on-line help, or
'help.start()' for an HTML browser interface to help.
Type 'q()' to quit R.

> library(testthat)
> library(devtools)
Loading required package: usethis

Attaching package: ‘devtools’

The following object is masked from ‘package:testthat’:

    test_file

> 
> test_check("devtools")
== Documenting =================================================================
trying URL 'https://cloud.r-project.org/src/contrib/rlang_1.0.6.tar.gz'
Content type 'application/x-gzip' length 742508 bytes (725 KB)
==================================================
downloaded 725 KB

trying URL 'https://cloud.r-project.org/src/contrib/desc_1.4.2.tar.gz'
Content type 'application/x-gzip' length 79249 bytes (77 KB)
==================================================
downloaded 77 KB

trying URL 'https://cloud.r-project.org/src/contrib/crayon_1.5.2.tar.gz'
Content type 'application/x-gzip' length 40567 bytes (39 KB)
==================================================
downloaded 39 KB

trying URL 'https://cloud.r-project.org/src/contrib/cli_3.4.1.tar.gz'
Content type 'application/x-gzip' length 540044 bytes (527 KB)
==================================================
downloaded 527 KB

trying URL 'https://cloud.r-project.org/src/contrib/xfun_0.33.tar.gz'
Content type 'application/x-gzip' length 128067 bytes (125 KB)
==================================================
downloaded 125 KB

trying URL 'https://cloud.r-project.org/src/contrib/purrr_0.3.5.tar.gz'
Content type 'application/x-gzip' length 397009 bytes (387 KB)
==================================================
downloaded 387 KB

trying URL 'https://cloud.r-project.org/src/contrib/knitr_1.40.tar.gz'
Content type 'application/x-gzip' length 903328 bytes (882 KB)
==================================================
downloaded 882 KB

trying URL 'https://cloud.r-project.org/src/contrib/brew_1.0-8.tar.gz'
Content type 'application/x-gzip' length 73562 bytes (71 KB)
==================================================
downloaded 71 KB

* installing *source* package ‘rlang’ ...
** package ‘rlang’ successfully unpacked and MD5 sums checked
** using staged installation
** libs
gcc -I"/usr/local/lib64/R/R-4.2.1/R/include" -DNDEBUG -I./rlang/  -I/usr/local/include  -fvisibility=hidden -fpic  -g -O2  -c capture.c -o capture.o
gcc -I"/usr/local/lib64/R/R-4.2.1/R/include" -DNDEBUG -I./rlang/  -I/usr/local/include  -fvisibility=hidden -fpic  -g -O2  -c internal.c -o internal.o
g++ -std=gnu++11 -I"/usr/local/lib64/R/R-4.2.1/R/include" -DNDEBUG -I./rlang/  -I/usr/local/include   -fpic  -g -O2  -c rlang-rcc.cpp -o rlang-rcc.o
gcc -I"/usr/local/lib64/R/R-4.2.1/R/include" -DNDEBUG -I./rlang/  -I/usr/local/include  -fvisibility=hidden -fpic  -g -O2  -c rlang.c -o rlang.o
gcc -I"/usr/local/lib64/R/R-4.2.1/R/include" -DNDEBUG -I./rlang/  -I/usr/local/include  -fvisibility=hidden -fpic  -g -O2  -c version.c -o version.o
g++ -std=gnu++11 -shared -L/usr/local/lib64/R/R-4.2.1/R/lib -L/usr/local/lib64 -o rlang.so capture.o internal.o rlang-rcc.o rlang.o version.o -L/usr/local/lib64/R/R-4.2.1/R/lib -lR
installing to /usr/local/lib64/R/R-4.2.1/R/site-library/level3-library/00LOCK-rlang/00new/rlang/libs
** R
** inst
** byte-compile and prepare package for lazy loading
** help
*** installing help indices
*** copying figures
** building package indices
** testing if installed package can be loaded from temporary location
** checking absolute paths in shared objects and dynamic libraries
** testing if installed package can be loaded from final location
** testing if installed package keeps a record of temporary installation path
* DONE (rlang)
* installing *source* package ‘crayon’ ...

You can see that for dependency rlang, it's installed using https://cloud.r-project.org/src/contrib/rlang_1.0.6.tar.gz, which is version 1.0.6. While in snapshot 2022-08-24, the version is 1.0.4:

Package: rlang
Version: 1.0.4
Depends: R (>= 3.4.0)
Imports: utils
Suggests: cli (>= 3.1.0), covr, crayon, fs, glue, knitr, magrittr, methods, pillar, rmarkdown, stats, testthat (>= 3.0.0), tibble, usethis, vctrs (>= 0.2.3), withr
Enhances: winch
License: MIT + file LICENSE
NeedsCompilation: yes

Since this dependency rlang is installed under the same path of devtools, it silently replaced previously installed rlang version 1.0.4. There are other dependency packages of devtools installed and silently replace previously installed packages. Thus our package repository gets polluted.

Would it be possible to have dependency packages in your test, that also come from the same snapshot you publish devtools itself? That is, if you publish devtools to snapshot 2022-08-24, dependency packages should also come from the same snapshot.

Many thanks for your time!

gaborcsardi commented 1 year ago

This seems to be coming from the devtools test suite, which is in the devtools repo, so I am transferring this issue there.

ldmax commented 1 year ago

This seems to be coming from the devtools test suite, which is in the devtools repo, so I am transferring this issue there.

Yes this is regarding devtools test suite.

Thanks gaborcsardi!

jennybc commented 1 year ago

I'm not fixing this right now but did some research. These are notes for when I come back.

This set of tests:

https://github.com/r-lib/devtools/blob/aa3f88bc693d049e1b524ca1a86b300e2c954765/tests/testthat/test-install.R#L59-L111

should presumably be testing against a fixture package, not devtools itself.

Also seems like there should be a call to withr::local_temp_libpaths().