Unstable MD5 Due to Git Archive + Versioneer

[citibeth]

The use of templates in a GitHub repo, plus auto-filling of them from git archive, can result in unstable hashes.

While installing, I noticed that one package's hash had changed from a year ago: https://github.com/SciTools/cf_units

These things must always be investigated. So I downloaded the tarball using GitHub's archive feature (https://github.com/SciTools/cf_units/archive/v1.1.3.tar.gz) and compared it to the old tarball I had lying around.

Expected Result

I expected the two to be the same.

Actual Result

I got the diff:

$ diff -r cf/cf_units-1.1.3 py/cf_units-1.1.3
diff -r cf/cf_units-1.1.3/cf_units/_version.py py/cf_units-1.1.3/cf_units/_version.py
26c26
<     git_refnames = " (tag: v1.1.3)"
---
>     git_refnames = " (HEAD -> master, tag: v1.1.3)"

Digging Deeper

I looked at _version.py in the repo and found the following https://github.com/SciTools/cf_units/blob/master/cf_units/_version.py

def get_keywords():
    """Get the keywords needed to look up the version information."""
    # these strings will be replaced by git during git-archive.
    # setup.py/versioneer.py will grep for the variable names, so they must
    # each be defined on a line of their own. _version.py will just call
    # get_keywords().
    git_refnames = "$Format:%d$"
    git_full = "$Format:%H$"
    keywords = {"refnames": git_refnames, "full": git_full}
    return keywords

Apparently, the templates in this file are filled in when git-archive is run (GitHub runs git-archive when a special archive URL is used, as above). And even though the version is stable, the presence of additional branches or tags on a commit can cause git_refnames to change, and thus the MD5 to change.

Proposed Solution

Encourage upstream authors to avoid the use of git_refnames (above) if they don't need it. Encourage upstream authors to make sure that tagged releases don't have any additional tags or branches on them.

This won't be an issue for the vast majority of upstream authors who don't use git-archive to substitute in versions.

Has anyone else encountered this?

[pelson]

Hi,

I've been pointed at this issue from SciTools/cf-units#87.

From a security perspective, MD5 is not the correct tool to use to ensure the tarball is untampered, however, the sentiment remains - it isn't ideal for a cryptographically-secure hash to change after the release date.

From an impact point-of-view, this might be broader than you think. Even packages like matplotlib are using versioneer/git-archive to inject versions into the source. From a design perspective, the version of one's code is best separated from the code itself, and ideally managed for you by your source repository (git in almost everybody's case nowadays).

Over at conda-forge we have also felt the pain of these checksums changing - if a tag is made from a commit that is not on master, but is then subsequently put onto master, we see this occur.

In general, I don't think it is likely that versioneer nor git-archive will cease being used at cf-units (nor I suspect in the wider ecosystem), however, I'd be more than happy to ensure that tags being cut make it into master ASAP. This will prevent the git_refnames from changing, and thus provide a stable checksum.

Would that be a helpful approach to solving this issue?

Thanks,

Phil

[citibeth]

Would that be a helpful approach to solving this issue?

Yes thanks!