Allow project / package "duplicates" with the same VCS location #6533
Conversation
This is analogous to `addPackages()` and will be used in an upcoming test. Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
| // Some source code repositories contain projects that are used as packages by other contained projects. So the | ||
| // same code is once seen as a project, and once as a package by ORT. Allow such "duplicates" as the ids | ||
| // actually refer to the same thing by requiring duplicates to refer to different VCS locations. | ||
| val realDuplicates = duplicates.filter { (_, duplicates) -> |
There was a problem hiding this comment.
@oss-review-toolkit/core-devs, what do you thing about this? Should we rather only keep one of these (either the project or the package) instead of keeping both of them?
There was a problem hiding this comment.
I'm specifically asking as I currently don't oversee all side-effects that might occur if we keep a project and a package with the same id in the result.
There was a problem hiding this comment.
I think it's likely that assumption that Id's are unique are spread all over the place. To list a few, while guessing many further things can be found:
There was a problem hiding this comment.
I think it's likely that assumption that Id's are unique are spread all over the place.
Right. But some of these only assume ids to be unique within projects or packages, but not within the union of both.
There was a problem hiding this comment.
Right. But some of these only assume ids to be unique within projects or packages, but not within the union of both.
Yeah, that's for sure.
There was a problem hiding this comment.
ISTR that there was also a problem with the WebApp report when duplicate IDs were present: The JavaScript part uses an index-based mapping to reference objects, and if there were projects and packages with the same ID, this mapping got broken.
There was a problem hiding this comment.
Have you considered as alternative solution: Making sure that the
Identifier.typefor projects differs fromIdentifier.typefor packages?
Actually, I was playing around with similar ideas 3 years (!) ago:
- In the identifier-types branch I tried to turn an
Identifier'stypeinto asealed classwithProjectIdentifierandPackageIdentifiersub-classes. - In the multiple-identifier-classes branch the
Identifierclass itself is tried to be turned in asealed class.
Both approaches had the goal to distinguish project and package ids, and to iterate over all known id types (e.g. for when statements).
There was a problem hiding this comment.
I agree with @fviernau that there are probably lots of places in the code which assume that identifiers are unique and it could be very hard to find all of them, and with @oheger-bosch that likely the WebApp report and probably other report formats would break.
There are also situations where the same package could appear twice with different metadata (e.g. if different repositories are used), I'm not sure if we currently fail in this case or just ignore it.
I think properly addressing this issue would be a big effort, another approach than the sealed class you suggested could also be to extend the identifier with properties like isProject and provider details.
There was a problem hiding this comment.
I think properly addressing this issue would be a big effort
Indeed. That's why I never completed my branches mentioned above...
There was a problem hiding this comment.
There are also situations where the same package could appear twice with different metadata (e.g. if different repositories are used), I'm not sure if we currently fail in this case or just ignore it.
I verify this. We have a repo in which ORT is failing because three or four packages appear twice due to different metadata.
…tion For some background information see [1], and specifically the NPM project / package at [2]. [1]: https://gitlab.eclipse.org/eclipsefdn/emo-team/eclipsefdn-ort/-/issues/56#note_1084923 [2]: https://git.eclipse.org/r/plugins/gitiles/cdt/org.eclipse.cdt/+/7c6bd5bdcb4cf8c31050aeeb102250a27a157728/qt/org.eclipse.cdt.qt.core/acorn-qml/package.json Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
force-pushed
the
lenient-project-package-duplicates
branch
from
d9327fc
to
7b1c5c9
Compare
| @@ -46,9 +46,18 @@ class AnalyzerResultBuilder { | |||
|
|
|||
| fun build(excludes: Excludes = Excludes.EMPTY): AnalyzerResult { | |||
| val duplicates = (projects.map { it.toPackage() } + packages).getDuplicates { it.id } | |||
| require(duplicates.isEmpty()) { | |||
|
|
|||
There was a problem hiding this comment.
I've got some story maybe worth sharing here: I recently scanned ORT with ORT locally,
it exited complaining in about duplicates in this function. I debugged it only quick and had to stop at some point due to other tasks. If I didn't make a mistake the finding was that there were multiple packages (not projects) with the same id which were completely identical except for on attribute. IIRC it was the homepage URL.
That's just FYI, didn't look into this PR deeply yet .
There was a problem hiding this comment.
I also had the case of multiple packages with the same identifier. This happened when a package was referenced from multiple package managers using the same package type (for instance GoMod and GoDep). If the package metadata is not exactly the same, multiple Package instances are created.
There was a problem hiding this comment.
In my above case the full identifiers were identical, including the type.
|
The change have been tested and is fine from our side |
Thanks for the feedback. However, this PR will more likely evolve into the direction of dropping the duplicate package in favor of only keeping the project. |
Please have a look at the individual commit messages for the details.