rez icon indicating copy to clipboard operation
rez copied to clipboard
verified publisher icon AcademySoftwareFoundation

rez-release allows overwriting already released version on commit that isn't the release tag

Open mmdanggg2 opened this issue 2 years ago • 4 comments

rez-release allows you to release and overwrite an already released package version while on a different commit to the one tagged at release.

Environment

  • OS CentOS Linux release 7.6.1810 (Core) x86_64
  • Rez version 2.112.0
  • Rez python version Python 3.6.8

To Reproduce

  1. Create a simple rez package with a git repo and remote In this example my package.py is just this:
name = "test_pkg"
version = "1.0.0"
build_command = False

def commands():
    print("This is version 1.0.0!")
  1. git commit, push and then rez-release the package.
  2. Verify the release completed by checking in git log that the commit has been tagged as test_pkg-1.0.0 and the package is ok with rez-env test_pkg==1.0.0 and see the text is printed.
  3. Modify the package in some way and leave the version as 1.0.0. In this case, update the statement in the package.py to
def commands():
    print("This is version 1.0.0! BUT MODIFIED!")
  1. git commit, push this change.
  2. Try to rez-release the package again and see that it now releases version 1.0.0 again, overwriting the originally released version!
  3. Verify the now incorrectly released package with rez-env test_pkg==1.0.0 and see it prints the modified message and the git log still shows the previous commit as the tagged release

Expected behavior I expect there to be an error thrown when trying to release a version of a package that has already been released while I am not on the commit that has been tagged for that version.

Actual behavior The release is allowed to go through dispite the package now not matching with the commit that is tagged for that version.

mmdanggg2 avatar Jun 15 '23 14:06 mmdanggg2

@mmdanggg2 when you say the released package is overwritten, you mean it's completely overwritten? Because if that's the case, that's pretty bad. Also, I'd be curious to know what your build looks like (just to make sure we can fully repro).

JeanChristopheMorinPerso avatar Jun 15 '23 23:06 JeanChristopheMorinPerso

Yes, I do mean that the files within the release_packages_path for that version are overwritten. In that simple example package.py I put above, the package.py and build.rxt files are overwritten. I suppose it depends on your build script how much gets clobbered. Rez does not clear out the folder it installs to first so any files that were installed previously will remain but they will be overwritten if the build script goes and copies them from the source again.

I've not been using the cmake build system because I'm not very familiar with it so my builds are just calling a python script which, for most stuff, is just copying files from source to install with shutil stuff.

mmdanggg2 avatar Jun 16 '23 10:06 mmdanggg2

I was just able to reproduce this, I had a minor change on a package and though I'd try to release again without changing the version number to see if I could repro this, and it did re-release it without complaints. (Windows, rez 2.104.9)

herronelou avatar Jul 04 '23 17:07 herronelou

If someone is interested in helping us on this, it would be appreciated. I'm concerned about this but I unfortunately won't have time to take a look at it for a couple of weeks.

Types of help that could be done: root cause analysis, code inspection, hypothesis as to why it's happening, a PR, pointing to the problematic code, proposing a fix with a diff provider here (if the CLA is a problem), etc.

JeanChristopheMorinPerso avatar Jul 05 '23 22:07 JeanChristopheMorinPerso