rebar3
rebar3 copied to clipboard
Do not override private repo urls with default CDN
Summary: Packages in hex repos defined in rebar.config cannot be fetched as their URL is always overriden.
Environment: detected in Erlang 23.0.3 + rebar 3.14.1, but most surely happening in other versions too (see further below for diagnosis)
How to reproduce:
- Deploy any local hex repo (e.g. by using the default instructions for mini_repo) and publish a
baz
package. - Create a new app (e.g.
rebar3 new lib foo
) - Configure your new app to fetch that dependency from the private repo with a rebar.config like this:
{plugins, [rebar3_hex]}.
{deps, [baz]}.
{hex, [
{repos, [
#{name => <<"test_repo">>,
repo_url => <<"http://localhost:4000/repos/test_repo">>,
repo_public_key => <<"...">>
}
]}
]}.
- Run
rebar3 deps
Expectation: baz
is fetched correctly.
Result: baz
is not downloaded, as repo.hex.pm
is accessed instead of the private repo.
Reason found: though the /packages
URL for the repo is queried correctly, when the associated /tarballs
URL is built, any value in $HEX_CDN
or (if empty) "repo.hex.pm"
is used instead of the expected repo_url
provided in config. This bug seems to have been introduced in #2204.
Fix proposed: $HEX_CDN
or the default "repo.hex.pm"
are only used if a repo_url
is not provided.
Ah, so we are taking HEX_CDN to always be defined basically? It should only override if it is actually set.
@starbelly ^
Keep in mind that at the moment the value read from HEX_CDN is used as fallback endpoint for all repos, so outright taking it out would mean that repos defined without a repo_url themselves (eg. a private hex.pm <<"hexpm:private_repo">>
), would hold no info on where to access it.
A more elaborated solution could be made where the endpoint is taken from the first defined value in this list:
- HEX_CDN
- repo_url
- "repo.hex.pm"
But this means that a defined HEX_CDN blanket overrides all repos, so using it to redirect to a hex.pm mirror breaks access to your own locally deployed artifactory—bringing us back to the original problem this PR was meant to fix.