Shopify
0.22.0 release
ISSUE TYPE
- [x] Bug Report
- [ ] Feature Idea
BUG REPORT
SUMMARY
👋 Looks like the 0.22.0 release did not get completed, thanks!
relates to https://github.com/Homebrew/homebrew-core/pull/125542
Thanks for opening your first issue here! Be sure to follow the issue template!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
It would be good to not re-tag the release as well.
relates to:
- Homebrew/homebrew-core#126306
- Homebrew/homebrew-core#125542
Hi @chenrui333 I'm actually not sure we can complete the release in the state it was tagged. I think we may need to skip that version and release the next version with the new release process. @chenrui333 is that a problem for brew? @dani-santos-code wdyt?
Not sure if is related, but for me the latest version 0.22.0 is not working but 0.21.0 is:
/tmp # uname -m
x86_64
/tmp # wget https://github.com/Shopify/kubeaudit/releases/download/v0.22.0/kubeaudit_0.22.0_linux_amd64.tar.gz
Connecting to github.com (192.30.255.112:443)
Connecting to objects.githubusercontent.com (185.199.110.133:443)
saving to 'kubeaudit_0.22.0_linux_amd64.tar.gz'
kubeaudit_0.22.0_lin 100% |*****************************************************************************************************************************************************************| 9724k 0:00:00 ETA
'kubeaudit_0.22.0_linux_amd64.tar.gz' saved
/tmp # tar -zxf kubeaudit_0.22.0_linux_amd64.tar.gz
/tmp # ./kubeaudit
sh: ./kubeaudit: not found
/tmp # rm -rf *
/tmp # wget https://github.com/Shopify/kubeaudit/releases/download/v0.21.0/kubeaudit_0.21.0_linux_amd64.tar.gz
Connecting to github.com (192.30.255.112:443)
Connecting to objects.githubusercontent.com (185.199.110.133:443)
tsaving to 'kubeaudit_0.21.0_linux_amd64.tar.gz'
kubeaudit_0.21.0_lin 100% |*****************************************************************************************************************************************************************| 9604k 0:00:00 ETA
'kubeaudit_0.21.0_linux_amd64.tar.gz' saved
/tmp # tar -xvf kubeaudit_0.21.0_linux_amd64.tar.gz
README.md
kubeaudit
/tmp # ./kubeaudit version
0.21.0
is that a problem for brew?
Sort of, and I assume that it's likely the same for many other downstream packagers.
Often, we build a new version of a package when we see a new tag comes out. And it confuses us when the tag is pulled, modified, and republished later, because we'll see the change in the source artifact's checksum. In those cases we'll have to confirm with upstream maintainers to see if that's intentional. There can be good cases, where the retagging was just a consequence of an oversight; but there can also be bad ones, where the source repository gets compromised somehow. And we'll need to wipe out the chance of the latter.
Also, as mentioned in Git's documentation, re-tagging is an "insane thing" that's strongly discouraged, because tags are meant to be final once they are published. A recommended way would be, as you and also the docs have mentioned, to publish a new version (i.e. tag) instead. (Or if you're just unsure if CI works -- it would be nice to have some other ways to test it, like doing it in a fork.)
I see that the tag v0.22.0 was pulled and republished several times. So, with that said, could we get your confirmation that the tag v0.22.0 published on https://github.com/Shopify/kubeaudit/releases/tag/v0.22.0 (currently pointing to commit 538937d5198e3f11ce28812882ee1c915e7f2683) is legitimate and final? (See also #569.)
Thanks! We appreciate all your great work maintaining the kubeaudit project. ❤️
