-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing package.json files for some packages? #183
Comments
Cannot yet turn on "require hashes" by default due to missing hashes, see: haskell/hackage-security#183
We have known about this for quite some time already (c.f. haskell/hackage-server#488) but this glitch is very hard to reproduce and hasn't re-occured ever since then. This is also the reason why the |
Is there no method available to:
This does seem to significantly impede the ability of tools to provide security guarantees. |
Cannot yet turn on "require hashes" by default due to missing hashes, see: haskell/hackage-security#183
That's not really true though because as a kind of happy accident this unintentional situation currently exercises |
It's hard to tell how often this happens because the original report (haskell/hackage-server#488) has been edited, but these are the packages that are currently affected by this problem:
Generated with https://gist.github.com/tfausak/ed463c32638b8bd876df1a0712fc88bd. |
@tfausak That looks like to lines up with the list from hackage-mirror-tool: https://github.com/snoyberg/hackage-mirror-tool/blob/213064e4dd5983d01b6c7daa1c7eb37bed5255fd/src/IndexShaSum.hs#L165 |
Looks like aivika-transformers-5.3.1.tar.gz needs to be added to the list. |
As @snoyberg mentioned, aivika-transformers-5.3.1 is missing its Also this just happened again with llvm-hs-5.1.1 (haskell/hackage-server#643). That one was uploaded at 2017-12-16T14:00:07Z. |
This is resolved with haskell/hackage-server#488 |
Can you clarify how this resolved the issue? It seems like this is a one
time fix-up, but doesn't solve the underlying cause, meaning this may recur
in the future. I'd be happy to hear that the underlying cause was fixed too
(and frankly would be really interested in learning what the problem is).
…On Mar 19, 2018 4:30 AM, "gbaz" ***@***.***> wrote:
This is resolved with haskell/hackage-server#488
<haskell/hackage-server#488>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#183 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADBB7n70lyzteie4789-hsYCIDWLQ6bks5tfxhBgaJpZM4LthXA>
.
|
The underlying cause was fixed in haskell/hackage-server#644 Before, insertion of the package into the packagedb occurred and then hackage security data was added to the db, in two steps. So it was possible a thread could die or the server could fall-over between the steps. That change made sure that either both changes happened or neither change happened. |
Awesome, thanks!
…On Mon, Mar 19, 2018 at 8:12 AM, gbaz ***@***.***> wrote:
The underlying cause was fixed in haskell/hackage-server#644
<haskell/hackage-server#644>
Before, insertion of the package into the packagedb occurred and *then*
hackage security data was added to the db, in two steps. So it was possible
a thread could die or the server could fall-over between the steps. That
change made sure that either both changes happened or neither change
happened.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#183 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADBB94KD5QWTfREIHbj4NjpygFHEHELks5tf0w5gaJpZM4LthXA>
.
|
When I turn on "require package hashes" in Stack on the Hackage Security branch, I get the following error message:
Sure enough, if I look in the 01-index.tar file, there is no package.json file for that release of amazonka-codedeploy:
Is there some reason for this file to be missing? From a security standpoint, it would be nice to be able to depend on the existence of a hash for every package.
Also, I'm not sure if this is the appropriate repo for this question. I can move it to the Hackage Server tracker if that's better.
The text was updated successfully, but these errors were encountered: