rebar3 icon indicating copy to clipboard operation
rebar3 copied to clipboard

Published 20 hours ago verified publisher icon erlang

Do not override private repo urls with default CDN

Open xurxodiz opened this issue 3 years ago • 2 comments

Summary: Packages in hex repos defined in rebar.config cannot be fetched as their URL is always overriden.

Environment: detected in Erlang 23.0.3 + rebar 3.14.1, but most surely happening in other versions too (see further below for diagnosis)

How to reproduce:

  • Deploy any local hex repo (e.g. by using the default instructions for mini_repo) and publish a baz package.
  • Create a new app (e.g. rebar3 new lib foo)
  • Configure your new app to fetch that dependency from the private repo with a rebar.config like this:
{plugins, [rebar3_hex]}.
{deps, [baz]}.
{hex, [
   {repos, [
      #{name => <<"test_repo">>,
        repo_url => <<"http://localhost:4000/repos/test_repo">>,
        repo_public_key => <<"...">>
       }
   ]}
]}.
  • Run rebar3 deps

Expectation: baz is fetched correctly.

Result: baz is not downloaded, as repo.hex.pm is accessed instead of the private repo.

Reason found: though the /packages URL for the repo is queried correctly, when the associated /tarballs URL is built, any value in $HEX_CDN or (if empty) "repo.hex.pm" is used instead of the expected repo_url provided in config. This bug seems to have been introduced in #2204.

Fix proposed: $HEX_CDN or the default "repo.hex.pm" are only used if a repo_url is not provided.

xurxodiz avatar Sep 07 '20 14:09 xurxodiz

Ah, so we are taking HEX_CDN to always be defined basically? It should only override if it is actually set.

@starbelly ^

tsloughter avatar Sep 10 '20 14:09 tsloughter

Keep in mind that at the moment the value read from HEX_CDN is used as fallback endpoint for all repos, so outright taking it out would mean that repos defined without a repo_url themselves (eg. a private hex.pm <<"hexpm:private_repo">>), would hold no info on where to access it.

A more elaborated solution could be made where the endpoint is taken from the first defined value in this list:

  1. HEX_CDN
  2. repo_url
  3. "repo.hex.pm"

But this means that a defined HEX_CDN blanket overrides all repos, so using it to redirect to a hex.pm mirror breaks access to your own locally deployed artifactory—bringing us back to the original problem this PR was meant to fix.

xurxodiz avatar Sep 10 '20 14:09 xurxodiz