Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v0.36.0 git tag associated with wrong commit. Doesn't match source in PyPI #4754

Open
davidxia opened this issue Nov 12, 2024 · 10 comments
Open

Comments

@davidxia
Copy link

davidxia commented Nov 12, 2024

Expected Behavior

I expect git tags associated with released versions to correspond to the commit that produced software artifacts for those versions in PyPI.

Current Behavior

Currently v0.36.0 has a protobuf requirement of protobuf>=4.24.0,<5.0.0 (permalink in case the tag moves). But when I download the source feast-0.36.0.tar.gz from https://pypi.org/project/feast/0.36.0/#files, I see setup.py has protobuf<4.23.4,>3.20.

Also the date that 0.36.0 was created in PyPI is Feb 17, 2024. The date of the git tag is April 15, 2024. 🤔

Steps to reproduce

See links in "current behavior."

@franciscojavierarceo
Copy link
Member

Unfortunately, there was an issue with that release, which explains the discrepancy. We've reconciled this for others though. Apologies for the inconvenience.

@davidxia
Copy link
Author

I see. Can you move the git tag to the correct commit so it’s possible to examine the source in GitHub?

@franciscojavierarceo
Copy link
Member

franciscojavierarceo commented Nov 26, 2024

I took a look and unfortunately I can't trivially do so. I'd recommend https://pypi.org/project/feast/0.37.1/ which was the release we were able to make correctly which corresponds to https://github.com/feast-dev/feast/releases/tag/v0.37.1

@davidxia
Copy link
Author

davidxia commented Nov 26, 2024

Thanks, can't you just force push the git tag to move it with a command like git tag --force -a v0.36.0 -m "v0.36.0" && git push -f origin refs/tags/v0.36.0?

@franciscojavierarceo
Copy link
Member

Do you happen to know which commit is the one published to pypi?

I do know how to tag the commit, it's finding the right one that's the challenge.

@davidxia
Copy link
Author

I don’t know. I thought the maintainers of this repo would haha

@davidxia
Copy link
Author

You could try to match the hashsums assuming whoever published it did it from an actual commit and not a dirty branch.

@franciscojavierarceo
Copy link
Member

The problem is the published version to PyPi is different than what exists on GitHub so swapping it won't work either.

I believe the commit is https://docs.google.com/document/d/1KX-rqre2x9obyHjKYzSYkg0et1_4nLOD5u75ls5q09o/edit?tab=t.0#heading=h.vtw6pppn20bd

Unfortunately this was a botched release by me (sorry!) and I don't exactly recall what happened but I don't have the permission in PyPi to remove or revoke that PyPi release. Updating the tag would change the existing tag which I believe is what was pushed to docker, so we have a broken 0.36 and our view was to just advise people to move to 0.37.1 instead of using 0.36.0 because we weren't able to get the PyPi permissions to lock it down.

@franciscojavierarceo
Copy link
Member

Apologies for the inconvenience here, but things are much more stable now 😅

@davidxia
Copy link
Author

No worries. Thanks for looking into this. You can maybe “yank” this version on PyPI so it has a warning and people don’t use. Just a suggestion tho. Otherwise, feel free to close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants