package-manager icon indicating copy to clipboard operation
package-manager copied to clipboard
verified publisher icon zeek

Broken `zkg.meta` completely breaks package aggregation in zeek/packages

Open bbannier opened this issue 8 months ago • 2 comments

zeek/packages uses zkg to "aggregate" packages in the registry. If any package in the registry has a broken zkg.meta aggregation will always fail, for all packages in the registry, see e.g., https://github.com/zeek/packages/actions/runs/15852032887/job/44687713777 where a user (or machine) fantasized a JSON-based format for zkg.meta,

Refresh package source: zeek
Traceback (most recent call last):
  File "/home/runner/.local/bin/zkg", line 3049, in <module>
    main()
  File "/home/runner/.local/bin/zkg", line 3045, in main
    args.run_cmd(manager, args, config, configfile)
  File "/home/runner/.local/bin/zkg", line 1275, in cmd_refresh
    res = manager.aggregate_source(source, args.push)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/runner/.local/lib/python3.12/site-packages/zeekpkg/manager.py", line 1008, in aggregate_source
    return self._refresh_source(name, True, push)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/runner/.local/lib/python3.12/site-packages/zeekpkg/manager.py", line 1156, in _refresh_source
    invalid_reason = _parse_package_metadata(
                     ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/runner/.local/lib/python3.12/site-packages/zeekpkg/manager.py", line 3317, in _parse_package_metadata
    if not parser.read(metadata_file):
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/configparser.py", line 684, in read
    self._read(fp, filename)
  File "/usr/lib/python3.12/configparser.py", line 1064, in _read
    raise MissingSectionHeaderError(fpname, lineno, line)
configparser.MissingSectionHeaderError: File contains no section headers.
file: '/home/runner/.zkg/scratch/zeek-unauthorized-smb-usage/zkg.meta', line: 1
'{\n'

Since we run automatic aggregation for all repos which have made it into the registry at some point (i.e., we do not continuously review changes to packages) we need to deal with this in a more graceful way, e.g.,

  • do not update aggregate info for a broken package, or
  • completely drop packages with broken zkg.meta from aggregation

A single broken package must however never break aggregation for the rest of the registry.

bbannier avatar Jun 24 '25 14:06 bbannier

I would go for not updating existing packages if they have a broken zkg.meta and not adding new ones that have a broken one. We do need some sort of more public notification if it fails though.

timwoj avatar Jun 24 '25 16:06 timwoj

Another thought is to add the aggregation task as a workflow for PRs, stopping before it saves the aggregation.meta file to the repo. That would at least catch badly-formed packages before they're merged, though wouldn't help with cases where an existing package is updated to a badly-formed state.

timwoj avatar Jun 24 '25 21:06 timwoj