Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vendor check to succeed even if copyright information is not found #40489

Merged
merged 1 commit into from
Feb 14, 2020
Merged

Vendor check to succeed even if copyright information is not found #40489

merged 1 commit into from
Feb 14, 2020

Conversation

pricec
Copy link
Contributor

@pricec pricec commented Feb 10, 2020

- What I did
The documentation for validate_vendor_used in hack/validate/vendor states
that a warning will be emitted if license information cannot be found in
a vendored package. However, because the script is run with pipefail set
(owing to the inclusion of the common validation script .validate) and
grep -c is used, the entire script will fail whenever license information
cannot be found in a vendored package.

I updated the hack/validate/vendor script to ensure the function's behaviour
is consistent with the documentation.

- Description for the changelog
Vendor check to succeed even if copyright information is not found

@pricec pricec requested a review from tianon as a code owner February 10, 2020 13:47
@thaJeztah
Copy link
Member

Curious: was there a specific dependency where this check failed?

@pricec
Copy link
Contributor Author

pricec commented Feb 10, 2020

I observed a failure relating to github.com/segmentio/analytics-go while running the ee-engine pipelines on the Mirantis side.

@thaJeztah
Copy link
Member

Looks like their "master" branch has a correct LICENSE file; segmentio/analytics-go@bbea922

But the v2.0 and v3.0branches have aLicense.md`. Which is not common (and also would potentially cause Github's license detection to fail).

Best way forward would be to (in order of preference);

  1. Open a PR in that repository to rename License.md to LICENSE
  2. Add License.md to the list of files to check instead of "ignoring" missing licenses. Perhaps case-insensitive (unless that adds a lot of complexity)

Note that (I think) Docker EE was still on their v2.x version, which has been deprecated (I recall working on changing to v3.0, and opening a few PR's with them, e.g. segmentio/analytics-go#150 and segmentio/analytics-go#151), but the package looks to be largely unmaintained. If Mirantis is a customer, perhaps try to get some attention to it through those channels (as it's quite bad that they don't maintain the package).

@pricec
Copy link
Contributor Author

pricec commented Feb 10, 2020

Sure, but this function still seems broken, at least according to the documentation.

@thaJeztah
Copy link
Member

Ah, you're right, I didn't notice that the intent was to only "warn" (and not fail);

# 2. make sure all the packages contain license information (just warning, because it can cause false-positive)

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ping @tianon PTAL

@@ -40,7 +40,7 @@ validate_vendor_diff(){
validate_vendor_used() {
for f in $(mawk '/^[a-zA-Z0-9]/ { print $1 }' vendor.conf); do
if [ -d "vendor/$f" ]; then
found=$(echo "vendor/$f/"* | grep -iEc '/(LICENSE|COPYING)')
found=$(echo "vendor/$f/"* | grep -iEc '/(LICENSE|COPYING)' || true)
if [ "$found" -eq 0 ]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're checking the output of grep and that's all this is for, then we should just check the return value directly instead, ala:

if ! echo ... | grep -qiEc ...; then

(Sorry for brevity, on my phone but I think you get the idea)

@@ -40,8 +40,7 @@ validate_vendor_diff(){
validate_vendor_used() {
for f in $(mawk '/^[a-zA-Z0-9]/ { print $1 }' vendor.conf); do
if [ -d "vendor/$f" ]; then
found=$(echo "vendor/$f/"* | grep -iEc '/(LICENSE|COPYING)')
if [ "$found" -eq 0 ]; then
if ! echo "vendor/$f"/* | grep -qiEc '/(LICENSE|COPYING)'; then
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tianon Is this more agreeable with you?

Copy link
Member

@tianon tianon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@pricec
Copy link
Contributor Author

pricec commented Feb 10, 2020

@tianon I don't think this is quite right; the script sources hack/validate/.validate, which sets pipefail, so I think the script will terminate instead of printing the warning.

I think we will need to capture and analyze the output of grep -c and ignore the return code to avoid an early exit.

@pricec
Copy link
Contributor Author

pricec commented Feb 12, 2020

ping @thaJeztah @tianon PTAL

I had to change this back because of the fact that pipefail is set. All return codes must be 0 or the validation phase will fail.

@thaJeztah
Copy link
Member

Ah, just had this tab open and wanted to ask if you verified that it didn't work with those changes 😅

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tianon
Copy link
Member

tianon commented Feb 12, 2020

Neither of set -e or pipefail will apply inside the command block run by if:

$ ( set -Eeuo pipefail; echo first; false; echo second ); echo $?
first
1
$ ( set -Eeuo pipefail; echo first; false | true; echo second ); echo $?
first
1
$ ( set -Eeuo pipefail; echo first; true | false; echo second ); echo $?
first
1
$ ( set -Eeuo pipefail; echo first; if false; then echo false; fi; echo second ); echo $?
first
second
0
$ ( set -Eeuo pipefail; echo first; if false | true | false; then echo false; fi; echo second ); echo $?
first
second
0

The documentation for validate_vendor_used in hack/validate/vendor states
that a warning will be emitted if license information cannot be found in
a vendored package. However, because the script is run with pipefail set
(owing to the inclusion of the common validation script .validate) and
`grep -c` is used, the entire script will fail whenever license information
cannot be found in a vendored package.

Signed-off-by: Chris Price <[email protected]>
@pricec
Copy link
Contributor Author

pricec commented Feb 13, 2020

Neither of set -e or pipefail will apply inside the command block run by if:

TIL. Thanks and sorry for my confusion!

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (again 😅)

@thaJeztah
Copy link
Member

Windows failure is unrelated, and being discussed in #40512

Copy link
Member

@tianon tianon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit d877250 into moby:master Feb 14, 2020
@thaJeztah thaJeztah added this to the 20.03.0 milestone Apr 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants