@microsoft-github-policy-service agree

@njakob out of curiosity, how did you find those incorrect versions? There already is a GitHub bot that makes sure the version database is updated correctly but as you have seen, there are ways to fool the bot.

<off-topic>
@njakob On vcpkg.link:
"No license" is displayed when a port manifest has "license": null. IMO this is misleading. These ports do have license terms. They are just too complex to be expressed in the SPDX license field, or strongly depend on selected features.
Example: gdal
Suggestion: Display "Complex license" or similar.
Reference: https://github.com/microsoft/vcpkg/blob/master/docs/maintainers/manifest-files.md#license
</off-topic>

@njakob out of curiosity, how did you find those incorrect versions? There already is a GitHub bot that makes sure the version database is updated correctly but as you have seen, there are ways to fool the bot.

That's a good question @Thomas1664! Since this should have been part of the PR description, I added some details on how I did find these broken versions.

First of all, I haven't checked in detail how the bot is generating suggestions. However, it seems we're not performing an integrity check of the changed versions file.

We could imagine adding a separate GitHub action performing a git ls-tree of each entry of the changed files. This way we would catch such cases before they get merged into master and keep the existing suggestion system.

I could take a look at this in the following days if that's something you believe could be valuable!

@njakob On vcpkg.link: "No license" is displayed when a port manifest has "license": null. IMO this is misleading. These ports do have license terms. They are just too complex to be expressed in the SPDX license field, or strongly depend on selected features. Example: gdal Suggestion: Display "Complex license" or similar. Reference: https://github.com/microsoft/vcpkg/blob/master/docs/maintainers/manifest-files.md#license

That's very valuable feedback @dg0yt, I have not considered this case and missed the meaning of the null value. Your idea to use a different terminology makes a lot of sense!

Quickly searching over the repository, it seems we also have cases with a license file without any indication in the manifest (e.g. vulkan). I'm wondering if we should somehow either always add the "complex license" as part of the port or enable contributors to specify an external URL for it. This, however, deserves its own issue to be discussed and tracked.

I'll make sure to address the issue you raised @dg0yt today! Edit: I pushed an update that includes your suggestion!

There is an existing --verify-git-trees flag that checks for consistency in the version database. I'm working on some changes to enable it on every PR run, but in its current implementation is too costly to run.

Thanks for the PR!

Related to this, in the process of trying to establish a maintenance branch for our code consuming libharu at version 2017-08-15#10, I seem to have come across issue 25518, which was fixed by PR2553. The problem appears to be that the fix is the removal of the TIFF symbols and not fixing the original hash:

url : [ https://github.com/libharu/libharu/pull/157.diff ]
1> File path : [ C:\Users<user>\AppData\Local\Programs\vcpkg\downloads\libharu-shading-pr-157.patch.28904.part ]
1> Expected hash : [ f2ddb22b54b4eccc79400b6a4b2d245a221898f75456a5a559523eab7a523a87dfc5dfd0ec5fb17a771697e03c7ea6ed4c6095eff73e0a4302cd6eb24584c957 ]
1> Actual hash : [ 10562c8c9c6975b74d625912e7d3b850376941d5e46136679371ce1315f416b6b8e91d73fd1257b907327b2d71d50b8c026547203f280e42fb7b1901245de03c ]

This means building the versions prior to the fix still produce the hash error. I hope I've understood this correctly. This is on a fresh install of vcpkg and after doing a git pull.

This is the vcpkg.json I was using:
{ "name": "repsu", "version-string": "5.0.0", "dependencies": [ { "name": "libharu", "version>=": "2017-08-15#10" } ], "builtin-baseline": "ba383ed2332f42593a30dd3f35b09f4a59d31d91" }

@gharwo

The SHA bfeaf0d13fce9156ac216daa37a2c945290fc0ed is invalid in a local clone of vcpkg, and because of that, removing them from the version database was the right thing to do.

However, since GitHub keeps the PR refs around (and thus the git objects), one can obtain the files for that specific SHA from GitHub via https://github.com/Microsoft/vcpkg/archive/bfeaf0d13fce9156ac216daa37a2c945290fc0ed.zip.

If you must take that version and cannot upgrade the port, then you should download the port files form the URL provided above and create a port overlay for libharu.

@vicroms @gharwo The problem in #28571 (comment) is the occassional vcpkg habbit of downloading diffs from other repos instead of committing them to vcpkg. You will always get a valid diff from GH, but it is not binary stable over time. So SHA512 checks can fail after some time.

The variable part in the downloaded diffs ist the format of the index lines. Example for the given diff:
original: index 44b816c..60b1d84 100644
current: index 44b816c2..60b1d847 100644

A regex substitution e.g. in VS Code transforms the download from the actual hash to the expected hash: (Hey, I produced a SHA512 collission ;-)
(^index .......).(\.\........). -> $1$2

Pulling that specific PR ref worked perfectly and enabling the overlay port in vcpkg-configuration embedded in vcpkg.json of the maintenance branch means less churn for maintenance releases. Thanks.