Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vcpkg 2018.11.23-nohash #2733

Closed
ras0219-msft opened this issue Nov 7, 2018 · 3 comments
Closed

Vcpkg 2018.11.23-nohash #2733

ras0219-msft opened this issue Nov 7, 2018 · 3 comments
Labels
Visual Studio 2015 Visual Studio 2017 Visual Studio 2019 Preview
Milestone
windows-images-up...

Comments

@ras0219-msft
Copy link

As part of installing packages, vcpkg downloads several external executables such as nuget.exe and 7-zip. 7-zip specifically is downloaded from NuGet.org as a NuGet package and then unpacked locally.

To protect users from malicious executables, the vcpkg system has hashes checked in for every file that is externally downloaded. Unfortunately, NuGet.org has just modified all existing packages to include signature files inside the zip, which changes the hash.

We have fixed this issue in Vcpkg master[1], however since appveyor uses an older copy it will not have these fixes until the next image update.

These are the possible mitigation strategies I see:

  1. Mint a new image with the new vcpkg version
  2. Before spinning up a windows build, run git pull && ./bootstrap-vcpkg.bat in the vcpkg tool folder. This avoid minting a new image but requires adding startup time to every build. If you want to pull a specific commit with the fix, use 068032bc548817a04709970f76268a6d7b1767c7.
  3. Recommend to users that they do x86 java #2 before their builds -- this will still cause disruption for users because they need to see at least one of their builds fail, search, and eventually stumble upon this issue.

A longer-term mitigation against issues like this in the future would be to recommend in the appveyor docs on vcpkg that users explicitly pull new versions before running their build.

[1] microsoft/vcpkg#4663
@IlyaFinkelshteyn IlyaFinkelshteyn added this to the next-images-update milestone Nov 8, 2018
IlyaFinkelshteyn pushed a commit to appveyor/website that referenced this issue Nov 8, 2018
Address appveyor/ci#2733
54331d0 
appveyor/ci#2733
@IlyaFinkelshteyn IlyaFinkelshteyn mentioned this issue Nov 8, 2018
Merged
@IlyaFinkelshteyn
Copy link
Contributor

@ras0219-msft will add this to next image update, Unfortunately we started distribution of new image yesterday and it is already late to get into this train. Next one should not take too long. As you see I am updating documentation, and you are welcome to contribute too :)

IlyaFinkelshteyn pushed a commit to appveyor/website that referenced this issue Nov 8, 2018
Address appveyor/ci#2733 (#554)
5231f5d 
appveyor/ci#2733
craftwar added a commit to craftwar/obs-studio that referenced this issue Nov 12, 2018
@craftwar
CI: Add vcpkg workaround
513e624 
appveyor/ci#2733
craftwar added a commit to craftwar/obs-studio that referenced this issue Nov 12, 2018
@craftwar
CI: Add vcpkg workaround
715dae5 
appveyor/ci#2733
@IlyaFinkelshteyn IlyaFinkelshteyn mentioned this issue Nov 15, 2018
Closed
@FeodorFitsner
Copy link
Member

Updating vcpkg:

cd "C:\Tools\vcpkg"
git pull
.\bootstrap-vcpkg.bat

@FeodorFitsner FeodorFitsner changed the title Vcpkg will fail to install packages due to NuGet.org changes Vcpkg 2018.11.23-nohash Jan 31, 2019
@IlyaFinkelshteyn
Copy link
Contributor

New Windows images deployed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Visual Studio 2015 Visual Studio 2017 Visual Studio 2019 Preview
Projects
None yet
Milestone
windows-images-update-2019-02-03
Development

No branches or pull requests
3 participants
@IlyaFinkelshteyn @FeodorFitsner @ras0219-msft