Skip to content

"no hash listed" error with -Zpackage-workspace #14396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
workingjubilee opened this issue Aug 14, 2024 · 3 comments
Open

"no hash listed" error with -Zpackage-workspace #14396

workingjubilee opened this issue Aug 14, 2024 · 3 comments
Labels
C-bug Category: bug Command-package S-needs-info Status: Needs more info, such as a reproduction or more background for a feature request. Z-package-workspace Nightly: package-workspace

Comments

@workingjubilee
Copy link
Member

workingjubilee commented Aug 14, 2024
edited
Loading

Problem

In the pgrx repo, on commit https://github.com/pgcentralfoundation/pgrx/commits/47e8465c048773bec8399fd3b50455e736ba8056

Command:

./update-versions.sh 0.0.999-rc.999 && \
    cargo +nightly package \
        --workspace -Zpackage-workspace \
        --allow-dirty \
        --features "pg14"

Result:

    Finished `dev` profile [unoptimized + debuginfo] target(s) in 50.13s
   Verifying pgrx v0.0.999-rc.999 (/home/jubilee/tcdi/pgrx/pgrx)
    Updating crates.io index
   Unpacking pgrx-pg-sys v0.0.999-rc.999 (registry `/home/jubilee/tcdi/pgrx/target/package/tmp-registry`)
error: failed to verify package tarball

Caused by:
  failed to download `pgrx-pg-sys v0.0.999-rc.999`

Caused by:
  unable to get packages from source

Caused by:
  no hash listed for pgrx-pg-sys v0.0.999-rc.999
note: this is an unexpected cargo internal error
note: we would appreciate a bug report: https://github.com/rust-lang/cargo/issues/
note: cargo 1.82.0-nightly (94977cb1f 2024-08-06)

baffling? no idea what I did beyond running this command to cause this. I just dropped everything to open a report first. I've run almost this precise command several times successfully...? Now every time I run this command in that repo, with that working state, I get the error:

cargo +nightly package --workspace -Zpackage-workspace --allow-dirty --features "pg14"

I saved my entire repo directory as a duplicate before I did anything else.

Steps

No response

Possible Solution(s)

No response

Notes

No response

Version

cargo 1.82.0-nightly (94977cb1f 2024-08-06)
release: 1.82.0-nightly
commit-hash: 94977cb1fab003d45eb5bb108cb5e2fa0149672a
commit-date: 2024-08-06
host: x86_64-unknown-linux-gnu
libgit2: 1.8.1 (sys:0.19.0 vendored)
libcurl: 8.9.0-DEV (sys:0.4.74+curl-8.9.0 vendored ssl:OpenSSL/3.3.1)
ssl: OpenSSL 3.3.1 4 Jun 2024
os: Arch Linux Rolling Release [64-bit]
@workingjubilee workingjubilee added C-bug Category: bug S-triage Status: This issue is waiting on initial triage. labels Aug 14, 2024
@epage
Copy link
Contributor

epage commented Aug 14, 2024

CC @jneem

@jneem
Copy link
Contributor

jneem commented Aug 15, 2024

@workingjubilee can you help me obtain that commit? A fresh clone doesn't give me it...

Running that cargo package command on the develop branch completed successfully for me.

@epage epage mentioned this issue Aug 30, 2024
Open
4 tasks
@epage epage added the Z-package-workspace Nightly: package-workspace label Sep 5, 2024
@weihanglo weihanglo added S-needs-info Status: Needs more info, such as a reproduction or more background for a feature request. and removed S-triage Status: This issue is waiting on initial triage. labels Dec 29, 2024
@epage
Copy link
Contributor

epage commented May 2, 2025

@workingjubilee any help you can give on reproducing this? This is one of the last open questions before stabilization.

epage added a commit to epage/cargo that referenced this issue Jun 5, 2025
@epage
feat(publish): Stabilize multi-package publishing
a6c8597 
A user will now be able to use flags like `--workspace` with `cargo
publish`.
`cargo package` will now also work with those flags without having to
pass `--no-verify --exclude-lockfile`.

Many release tools have come out that solve this problem.
They will still need a lot of the logic that went into that for other
parts of the release process.
However, a cargo-native solution allows for:
- Verification during dry-run
- Better strategies for waiting for the publish timeout

`cargo publish` is non-atomic at this time.
If there is a server side error, network error, or rate limit during the publish,
the workspace will be left in a partially published state.
Verification is done before any publishing so that won't affect things.
There are multiple strategies we can employ for improving this over time,
including
- atomic publish
- `--idempotent` (rust-lang#13397)
- leave this to release tools to manage

This includes support for `--dry-run` verification.
As release tools didn't have a way to do this before,
users may be surprised at how slow this is because a `cargo build` is
done instead of a `cargo check`.  This is being tracked in rust-lang#14941.

This adds to `cargo package` the `--registry` and `--index` flags to
help with resolving dependencies when depending on a package being
packaged at that moment.
These flags are only needed when a `cargo package --workspace` operation
would have failed before due to inability to find a locally created
dependency.

Regarding the publish timeout, `cargo publish --workspace` publishes
packages in batches and we only timeout if nothing in the batch has
finished being published within the timeout, deferring the rest to the
next wait-for-publish. So for example, if you have packages `a`, `b`, `c` then
we'll wait up to 60 seconds and if only `a` and `b` were ready in that time,
we'll then wait another 60 seconds for `c`.

During testing, users ran into issues with `.crate` checksums that we've
not been able to reproduce since:
- rust-lang#1169 (comment)
- rust-lang#14396

By stabilizing this, Cargo's behavior becomes dependent on an overlay
registry.
When generating a lockfile or verifying a package, we overlay the
locally generated `.crate` files on top of the registry so the registry
appears as it would and everything works.
If there is a conflict with a version, the local version wins which is
important for the dry-run mode of release tools as they won't have
bumped the version yet.
Our concern for the overlay registry is dependency confusion attacks.
Considering this is not accessible for general user operations, this
should be fine.

Fixes rust-lang#1169
Fixes rust-lang#10948
@epage epage mentioned this issue Jun 5, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug Category: bug Command-package S-needs-info Status: Needs more info, such as a reproduction or more background for a feature request. Z-package-workspace Nightly: package-workspace
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@epage @jneem @weihanglo @workingjubilee