Issue #1465
closed
All versions in pulp get associated during sync, even if not in remote feed
Description
During sync, there is a check to see if each package has versions already in pulp, but not associated with the repo. The importer incorrectly associates ALL versions that are in pulp, instead of only the ones in the upstream feed.
To reproduce:
- sync a package by name from pypi to repo "foo"
- create a new package with the same name but a unique and scary version (perhaps 0.0.93.soclose), and upload it to repo "bar"
- sync repo "foo" again
- note that your scary new uploaded version found its way into repo foo!
The offending code is here: https://github.com/pulp/pulp_python/blob/pulp-python-1.0.1-1/plugins/pulp_python/plugins/importers/sync.py#L101
It fails to limit "versions_to_associate" to only versions in "all_versions".
I noticed this because of package "numpy" at version "1.10.0.post2". This bug is masking a different bug, where that package sometimes is detected as version "1.10.0.post2", and sometimes as just "1.10.0", and as a result would fail to be associated during sync when already present in pulp, but not in the current repo.
Related issues
Updated by mhrivnak over 8 years ago
- Related to Issue #1466: package version discrepancy in pypi API causes problems for sync added
Updated by mhrivnak over 8 years ago
Added by mhrivnak over 8 years ago
Updated by mhrivnak about 8 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset 05c2dd33bc36caa64760b7e0ba2da348151a876a.
Updated by semyers almost 8 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
.
converted to use mongoengine
fixes #877 fixes #1465
https://pulp.plan.io/issues/877 https://pulp.plan.io/issues/1465
1465 was fixed by accident in the course of doing the conversion