Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing package.json files for some packages? #183

Closed
snoyberg opened this issue Jan 25, 2017 · 12 comments
Closed

Missing package.json files for some packages? #183

snoyberg opened this issue Jan 25, 2017 · 12 comments

Comments

@snoyberg
Copy link
Contributor

When I turn on "require package hashes" in Stack on the Hackage Security branch, I get the following error message:

Package index Hackage is configured to require package hashes, but no hash is available for amazonka-codedeploy-1.4.0

Sure enough, if I look in the 01-index.tar file, there is no package.json file for that release of amazonka-codedeploy:

screen shot 2017-01-25 at 4 04 32 pm

Is there some reason for this file to be missing? From a security standpoint, it would be nice to be able to depend on the existence of a hash for every package.

Also, I'm not sure if this is the appropriate repo for this question. I can move it to the Hackage Server tracker if that's better.

snoyberg added a commit to commercialhaskell/stack that referenced this issue Jan 25, 2017
Cannot yet turn on "require hashes" by default due to missing hashes,
see: haskell/hackage-security#183
@hvr
Copy link
Member

hvr commented Jan 25, 2017

We have known about this for quite some time already (c.f. haskell/hackage-server#488) but this glitch is very hard to reproduce and hasn't re-occured ever since then. This is also the reason why the hackage-mirror-tool needs this temporary hack. At some point we're gonna supply those missing package.json files in the index tarball, we just didn't get to it yet.

@snoyberg
Copy link
Contributor Author

Is there no method available to:

  1. Manually add the missing package.json files, and
  2. Add a sanity check (like each .cabal file has a package.json file) before the 01-index.tar.gz file is generated?

This does seem to significantly impede the ability of tools to provide security guarantees.

snoyberg added a commit to commercialhaskell/stack that referenced this issue Jan 27, 2017
Cannot yet turn on "require hashes" by default due to missing hashes,
see: haskell/hackage-security#183
@hvr
Copy link
Member

hvr commented Jan 28, 2017

This does seem to significantly impede the ability of tools to provide security guarantees.

That's not really true though because as a kind of happy accident this unintentional situation currently exercises cabal's code-paths for when the package hashes are missing; and in fact cabal refuses to download those couple of packages whose cryptographic checksums are missing. This just forces us to be able to cope with this exceptional case which we would have to anyway.

@snoyberg
Copy link
Contributor Author

@snoyberg
Copy link
Contributor Author

Looks like aivika-transformers-5.3.1.tar.gz needs to be added to the list.

snoyberg added a commit to commercialhaskell/hackage-mirror-tool that referenced this issue Oct 27, 2017
@tfausak
Copy link

tfausak commented Dec 16, 2017

As @snoyberg mentioned, aivika-transformers-5.3.1 is missing its package.json. It was uploaded at 2017-10-27T04:35:54Z.

Also this just happened again with llvm-hs-5.1.1 (haskell/hackage-server#643). That one was uploaded at 2017-12-16T14:00:07Z.

@gbaz
Copy link

gbaz commented Mar 19, 2018

This is resolved with haskell/hackage-server#488

@gbaz gbaz closed this as completed Mar 19, 2018
@snoyberg
Copy link
Contributor Author

snoyberg commented Mar 19, 2018 via email

@gbaz
Copy link

gbaz commented Mar 19, 2018

The underlying cause was fixed in haskell/hackage-server#644

Before, insertion of the package into the packagedb occurred and then hackage security data was added to the db, in two steps. So it was possible a thread could die or the server could fall-over between the steps. That change made sure that either both changes happened or neither change happened.

@snoyberg
Copy link
Contributor Author

snoyberg commented Mar 19, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants