-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Composer cache makes developers life hard #1496
Comments
Do you have any details on that? Which part of the cache fails, and how? I never had any issue with the cache as far as I know, and I work on win7 too. |
I'm sorry for the very generic issue, not very usefull, I know. It's just that we haven't seen any clear pattern yet. One thing that happens often is that there are clearly new commits in a dev-master but the old stuff is just taken from the cache. Composer says: Installing from cache but we know that's not what we want. The only way to get the new information is to delete the cache. It would make life much easier to have a |
Oh, and we've had the same issue on CentOS too, btw. |
IMO a clear-cache command would be just giving up and admitting failure. I'd rather fix the root cause. Cache should be transparent or it becomes a painful source of uncertainty. That's why I am surprised you have problems because I do all I can to make the caches dependent on the exact versions of things so that if anything changes it is invalidated. So you are saying that when updating a package, it outputs that it updates and fetches from the cache. Could you please whenever you get this again do the following:
|
ok, will do that. |
I work with Markus and I've had this issue more than once (on Windows 8 and CentOS) e.g. when I needed to add some missing files to a git tag. I did the following:
Even after manually deleting all dependencies before running |
@aimfeld Git tags are not meant to be changed. When you overwrite a tag, every guy who already fetched the old tag has to delete it in their clone and to fetch again, otherwise they will still use the old tag. |
@stof That is true in most cases, but here we're talking about a private mirror repo of a third party library which needs to maintain its tag but got some fixes. |
@markushausammann even for private repos. If you delete a git tag and recreate it, any guy who already cloned the repo with the old tag has to delete the tag and fetch again. If you got some fixes, you should do a new bugfix release, not erasing the previous release |
Well, in the case you want/need to mirror the true version number of that library that's just not gonna be possible. I get your point but it doesn't apply to that use case. |
reusing the same version number for a release but with a different content looks wrong to me. |
@markushausammann @aimfeld indeed retagging is the problem. This is a really bad practice. If 1.0.0 is broken you can push the fixes and release 1.0.0.1 or 1.0.0p1 which are both accepted by composer as minor patch releases/hotfix. The problem is it's not easily fixable because composer stores only the tag as commit reference for tagged packages, and not the exact sha1 of the commit. Because of that, if the tag references a new commit it won't be identified, so it's not possible to make the cache dependant on the sha1 of the commit for tags. |
Yeah, you guys are right... it was a temporary solution to make a third party library composer installable but we should probably still work with minor patch tags! I wasn't aware that composer doesn't look at the commit. Thanks for the heads up. |
btw. I am also under the impression that I had some cache problems outside this tag story but I may be wrong. If so, I'll open a new issue. |
I'll just keep this open as reminder for now. I can try and look at whether it's fixable at some point, even though it's a bad practice I know everyone does it every now and then. |
You're so constructive :) |
Just hit by this bug, we are in situation where we need to update tag in cases of re builds of a version just before release. It is wrong, but that does not change the fact that the composer cache is currently blocking our builds and we lost quite some time figuring out it was caused by it. So maybe composer should double check it's cache checksum against packagist for forced updates to tags and packages. |
I had similiar issue when moving package from packagist into satis server. Tag stayed the same as repo didin't change, md5 checksum failed (i am not sure what is included into it). Can packagist/satis checksum of the same package vary or I am missing something? Maybe cache should be cleared for pacakge if checksum fail? |
@tomaszdurka I think satis re-packages stuff. |
These are zips of the same repo, same ref/tag:
Actually: |
We're facing both issues here
|
@Seldaek Did you get notifications about this? |
Hi, I used to have checksum errors while using Satis; I no longer do since I have disabled the cache on both sides: "config:{
"cache-files-ttl": 0
} |
Since a few weeks I'm experiencing that cached ZIP-files have different checksums from the original files on satis. Composer then says something like:
The cached file really is different from the one residing on satis:
If I unpack both ZIP-files they are identical (
With the difference looking like some different encoding (?):
Any ideas what could be the cause or how to further debug? |
It rather looks like a Satis issue, related to the fact that the ZIP algorithm is not deterministic. Composer doesn't change anything to the ZIP file downloaded from the Satis server; the problem only arises if:
The check sum validation fails then because the check sum found in This issue isn't limited to Satis, in principle; any package manager which "refreshes" package archives although their version number haven't changed would give rise to the same problem. As a workaround, Composer could inflate every downloaded package archive and calculate the check sum of the directory instead of the check sum of the archive itself, for instance with: find . -type f -exec md5sum {} + | awk '{print $1}' | md5sum (inspired by this answer on StackOverflow) |
@killerwolf It's annoying, but I think it's clear that you cannot work with two Satis instances. Both will re-package the original packages and generate ZIP files with different check sums, although the inflated contents are the same. |
I've taken a look into $archiveManager->setOverwriteFiles(false); So the problem would only arise if you delete package archives from the Satis server manually, and then re-build it? Could anyone confirm or refute this theory? |
@Seldaek what about my proposition? Would it be a good idea to add the check sum of the inflated archives, maybe via a new entry |
It seems the problem for us was an older |
So it seems there are two issues at hand really:
The first is fixable by just re-downloading the file instead of failing hard, the second however I'm not sure what we can do about it. Ideally the best fix would be to make sure the archives are created in a predictable manner so that rebuilding them would not create hash mismatches. Alternatively someone suggested hashing the extracted contents rather than the archive itself. That is possible but will be way slower I imagine, especially on large archives and on windows where filesystem ops aren't very fast. Any better idea? |
I've just had to re-build all our satis package-caches and re-create To prevent this the safest would probably be to calculate the shasum from the ZIP's contents. |
The problem really is within Composer handling it's cache. It's a good thing checksums are checked, but whenever the cached file seems to be wrong, it should be disregarded, deleted, and downloaded again from the source, without aborting. |
How about inflating package archives in-memory to calculate the inflated check sum we'd store in |
That would not work on systems without zip extension, and even on those |
That's right... As far as performance is concerned, in the "normal" case, Since this is only a convenience feature, we could also make it optional, I guess? |
My current workaround is |
I am experiencing the issue of the ZIP algorithm being non-deterministic in this way: I use a Linux server at the company that builds a repository with Satis. On my workstation at home I want to provide a second Satis repository of the same packages, which my Composer installation should preferably use because it is faster to access locally than over the internet. The problem is that my local workstation is runing Windows 7 and the Zips creted by its Satis installation differ from the ones created on the Linux server. This leads to checksum problems whenever a Zip from one server is in the cache and Composer expects the checksum from the other. I think that this is a real problem because providing the same packages from different sources is a core concept providing redundant sources for data. There are two ways how this could be handled:
|
Today I experienced a slightly different variation of the problem that Composer calculates the hash on the compressed version rather than the original data. This time clearing the cache wasn't enough because the corresponding project had the |
Adding cache ttl 0 insta-worked for me, thanks. |
+1 Edit after @markushausammann comment below: My satis runs every 5 minutes with a complete build, and after every push on certain projects. |
👍 |
I'm really not sure what you guys are thumbing up. So many things have been said in this issue that it could be anything from "yeah, it makes my life hard too" to "cache ttl 0 works". If you +1 or thumb-up, please explain what you support. |
Well, yes this is a PITA, and |
@peikk0 : +1 on replacing the cached file on checksum difference. This will by far be the most simple solution to the current annoyances. |
I fixed what's fixable now, i.e. "corrupted" caches that don't match the sha-1 will not be used anymore and a re-download will be forced instead. The rest of the issue has been moved to #2540. |
Cache still broken when using
$ composer install
Loading composer repositories with package information
Updating dependencies (including require-dev)
- Installing level-2/transphporm (dev-master 2110304)
Cloning 2110304c512958797508ea08e0d78c4336494b41 from cache
Writing lock file
Generating autoload files
master $ git log origin
commit 0ada294c2ecd1698782985a23f3c90c142fab7b4 (refs/remotes/origin/master, refs/remotes/origin/HEAD, refs/remotes/composer/master)
Author: Tom Butler <tom@r.je>
Date: Tue Sep 13 15:51:36 2016 +0100
#124 - fixed bug with empty value
commit 2110304c512958797508ea08e0d78c4336494b41 (HEAD -> refs/heads/master)
Author: Richard <solleer@hotmail.com>
Date: Fri Aug 12 08:17:02 2016 -0400
Removed unused class properties Note how Composer pulled old version 2110304 from Aug 12 from cache, instead of grabbing version 0ada294c from Github. |
@cxj please report a new issue rather than resurrecting an old one and spamming 15 people. I don't think this has any relation to the cache, so we'll need more details and repro steps. Locking this thread now. |
We're constantly annoyed by the composer cache. We constantly run into issues where some way or another one or another repo doesn't update or install properly until we delete the cache. This is on Windows7.
The text was updated successfully, but these errors were encountered: