Currently we only check the compressed max size.

See: https://github.com/hexpm/hexdocs/blob/97a7d2a8ecea503cd0e93e83e3e2417a8a6f67d3/lib/hexdocs/tar.ex#L14:L46

The link https://github.com/hexpm/specifications/blob/master/http_api.md is correct on GitHub's README.md but the same link, when put here -- https://hexdocs.pm/hex_core/0.8.4/readme.html#api -- has a trailing dot added to it, leading to a 404.

There's a regression on master that was only caught when I tried vendoring master into Hex. proper plugin does not compile on otp 17, so we need to again try fixing that or add some workaround.

In some cases we manually use binary keys:

https://github.com/hexpm/hex_core/blob/v0.6.1/src/hex_api_key.erl#L20:

Params = #{<<"name">> => Name, <<"permissions">> => Permissions},

but in some we allow user to pass the map:

https://github.com/hexpm/hex_core/blob/v0.6.1/src/hex_api_release.erl#L45

hex_api:post(Config, Path, Params).

And so the user may pass atom keys like we used to do here:

wojtekmach/mini_repo@f6c8f39#diff-5008c7016636a9b7531bd02fa4abb5ffL52

We should ensure the params are always a map of binary keys.

hex_core ships with a built-in httpc-based adapter but it's default options are insecure (doesn't verify server certs etc). See e.g.: https://blog.voltone.net/post/23 for more info.

We should port httpc configuration from Hex here or at the very least add some docs around this topic.

So that it shows up e.g. here: https://diff.hex.pm/diff/hex_core/0.6.9..0.6.10

The specs are:

-spec create(metadata(), files()) -> {ok, {tarball(), checksum()}}.
-type contents() :: #{filename() => binary()}.
-type filename() :: string().
-type files() :: [filename() | {filename(), filename()}] | contents().

but we don't actually accept a map as files on create, we're incorrectly re-using contents type that is only for unpack.

Given that #121 is required for erlef/rebar3_hex#229, and in light of the rebar3 3.16.1 SSL thing, which you address in #123, would you consider cutting a release after that? Thanks much.

Validate package metadata against spec errors, do not include superfluous fields and do not allow type errors.

We can also add separate, optional functions to validate package metadata for warnings, we can pass it a list of policies that can be used, like (hexpm/public/private). We could handle the tarball size validation the same way to not be locked into hexpm specifics.

NOTE: Do not include maintainers in the package metadata.

Not too sure if there's something off in how I'm using it (on linux):

λ hex_erl → master → ./vendor.sh
Usage: vendor.sh TARGET_DIR PREFIX
λ hex_erl → master → ./vendor.sh ../rebar3/src/ hex_
sed: -e expression #1, char 1: unknown command: `.'
λ hex_erl → master → ./vendor.sh ~/code/rebar3/src/ hex_
./vendor.sh: line 39: /home/ferd/code/rebar3/src//hex_hex_erl.hrl: No such file or directory
λ hex_erl → master → ./vendor.sh ~/code/rebar3/src hex_
./vendor.sh: line 39: /home/ferd/code/rebar3/src/hex_hex_erl.hrl: No such file or directory

I couldn't get it to do anything else but these things.

Need to backport hexpm/hex#31 here.

Back in Nov 2020, hex_core needed to support OTP 17:

hex_core needs to support OTP 17. This is because it needs to be usable by Hex which in turns needs to be usable by Elixir 1.0.x. At some point Hex will no longer support old Elixir versions but not quite yet.

I'm wondering what the oldest OTP version is that hex_core needs to support now? The background for my question is that for gpb, I've retained compatibility with older Erlang versions, but would like to know if I can drop some? For example for maps, Erlang 18 added support for using variables as map keys, so still needing to supporting Erlang 17 in gpb would impose some limitations on how the code could be phrased. As far as I'm aware, hex_core is the project that needs support for the oldest Erlang for gpb. A recent issue in gpb, tomas-abrahamsson/gpb#217 prompted this question.

I tried looking for info on the oldest Elixir still supported by Hex, but failed to find it. Related: the latest Elixir, currently 1.13.4, says that the oldest Elixir to still receive security patches is 1.9, which is compatible with Erlang versions 20-22. Some more research: Debian old-stable, currently buster, ships Elixir 1.7.4 (link), which is compatible with Erlang 19-22.

Currently the API is:

-type contents() :: #{filename() => binary()}.
-type tarball() :: binary().
%% ...

-spec unpack(tarball(), memory) ->
                {ok, #{checksum => checksum(), metadata => metadata(), contents => contents()}} |
                {error, term()};
            (tarball(), filename()) ->
                {ok, #{checksum => checksum(), metadata => metadata()}} |
                {error, term()}.

so we are only able to accept binaries. I'm wondering if we should accept filenames too, so instead of binary() we accept {binary, binary()} | filename:filename() and deprecate the former? Eventually, at say v1.0, we'd accept {binary, binary()} | filename:filename_all().

This is a low-level library so I'm ok with pretty low level interface but I think this change would make it more convenient to use and I wish I'd have started with that.

Thoughts? cc @ferd @tsloughter

v0.1.0:

• Add script to vendor hex_erl into other builds tools (rewrite vendor_hex_erl task in bash or something; include hex_erl version in generated files) (#7)
• Add ETag support to hex_repo (#8)
• Add hex_api client per https://github.com/hexpm/specifications/blob/master/http_api.md
  • public endpoints (get package, get release etc) (#11)
  • search endpoint
  • private endpoints (keys, owners etc) (#26)
  • organizations support (#26)
  • create user endpoint (#26)
  • publish package endpoint (#26)
  • Add ETag support
  • Rate limit headers support (no longer applies, we return all headers)
  • URI.encode (in Erlang) URLs (#26)

v0.2.0:

• Add functions to build registry resources (hex_registry:build_names etc, ref: hexpm/hexpm#647 (comment))

When trying to publish docs for aws-beam/aws-erlang I ran into an issue where trying to publish the docs resulted in the following error: "tarball error, unknown POSIX error".

After patching OTP to include the actual error as per my local OTP patch I figured the actual error is too_big which comes from

rebar3_hex uses hex_tarball:create_docs/1 and does not allow overriding the default configs coming from:

One can argue for one of two things:

1. rebar3_hex should not use create_docs/1 but should instead use create_docs/2 and allow the overriding of tarball_max_size and tarball_max_uncompressed_size.
2. The defaults chosen in hex_core are too small and hence should be increased.

https://github.com/hexpm/hex_core/blob/a708f382f1b2e34b1d49adac18af8ce35c969af4/src/hex_tarball.erl

This is related to hexpm/hex#766.

This should be enforced by the repo implementation, not the core library.

The retirement reason / params is specified as as atoms and the keys for params as atoms. However, this does not work. iirc, at one point in time atoms were allowed, but that changed, and we can see that here : https://github.com/hexpm/hexpm/blob/e1251217d56ec91cdb104a27d9dd70eb08aa0f47/lib/hexpm_web/erlang_format.ex#L18

It may be there was intention to serialize atoms to strings from the client side via protobuf, but that doesn't appear to work. Testing locally nets me an http 400.

I'm remember all this being discussed some years ago, but the memory is fuzzy around the details now. In other words, either this is a bug in encoding within hex_code (it does not fail in hex_core to be clear) or the specs need to be adjusted to reflect reality.

E.g.:

mix hex.package fetch loki 0.1.0 --unpack
** (MatchError) no match of right hand side value: {:error, :enoent}
    (hex 0.20.1) src/mix_hex_tarball.erl:220: :mix_hex_tarball.copy_metadata_config/2
    (hex 0.20.1) src/mix_hex_tarball.erl:209: :mix_hex_tarball.finish_unpack/1
    (hex 0.20.1) lib/hex.ex:183: Hex.unpack_tar!/2
    (hex 0.20.1) lib/mix/tasks/hex.package.ex:114: Mix.Tasks.Hex.Package.fetch/4
    (mix 1.10.0-dev) lib/mix/task.ex:330: Mix.Task.run_task/3
    (mix 1.10.0-dev) lib/mix/cli.ex:83: Mix.CLI.run_task/2

If an invalid semver is provided as an argument when attempting to revert a package (i.e., "eh?") hexpm will return a 400 with an appropriate message (can only delete a release up to one hour after publication) however this message is not properly passed back to the caller. It's not clear as to why. @wojtekmach believes the body is simply not passed back to the caller in this case.

The raw error returned from hex_core:

{error,{rebar3_hex_revert,{api_error,<<"truecoat">>,<<"me">>,[72,84,84,80,32,115,116,97,116,117,115,32,99,111,100,101,58,32,"400"]
}}}

Or in other words : "HTTP status code: 400"

Edit:

Note this issue was originally opened on hexpm as hexpm/hexpm#1015. If it turns out this a problem at in hexpm vs hex_core we can simply re-open the other, but my assumption is the same as @wojtekmach's on this one.

https://github.com/hexpm/hex_core/blob/master/src/hex_http_httpc.erl#L14

If your connection is gone the left hand side match fails because you actually get {:error, {:failed_connect, [{:to_address, {'repo.hex.pm', 443}}, {:inet, [:inet], :nxdomain}]}}

It'd be nice if that error tuple was passed through instead of having to wrap all calls in try and rescuing the MatchError. I feel that the fact that it returns a ok tuple implies that it would also return an error tuple in this case

If this sounds reasonable I can make a PR

Validations:

• the same size validations as we currently do for package tarballs
• ensure top-level file is not a valid semver

I have a project that includes hex_erl in rebar.config e.g.

{deps,[
    {hex_erl, {git, "https://github.com/hexpm/hex_erl.git", {branch, "master"}}}
]}.

When I run rebar3 compile in my project I get the following error:

===> Verifying dependencies...
===> Fetching hex_erl ({git,"https://github.com/hexpm/hex_erl.git",
                                  {ref,
                                      "6c8973c2ce3acea1ebec8f08d23b4951f272361b"}})
===> Compiling hex_erl
===> Unable to run pre hooks for 'compile', command 'compile' in namespace 'protobuf' not found.

It seems that when protobuf is added as project plugin it isn't fetched as project dependency. https://github.com/hexpm/hex_erl/blob/6c8973c2ce3acea1ebec8f08d23b4951f272361b/rebar.config#L3-L6
https://github.com/hexpm/hex_erl/blob/6c8973c2ce3acea1ebec8f08d23b4951f272361b/rebar.config#L18-L23
Please refer to end of this section in rebar3 documentation: http://www.rebar3.org/v3/docs/using-available-plugins#section-project-plugins-and-overriding-commands

Environment : Running wsl Ubuntu behind a corporate proxy

Error Message:
===> Errors loading plugin pc. Run rebar3 with DEBUG=1 set to see errors.
===> Expanded command sequence to be run: []
===> Running provider: do
===> Expanded command sequence to be run: [app_discovery,{bare,compile}]
===> Running provider: app_discovery
===> Found top-level apps: [snappyer]
using config: [{src_dirs,["src"]},{lib_dirs,["apps/","lib/","."]}]
===> Getting definition for package pc from repo hexpm
===> hex_repo:get_package failed for package <<"pc">>: {badmatch,
{error,enotdir}}
===> throw {error,{rebar_app_utils,{missing_package,<<"pc">>,undefined}}} [{rebar_app_utils,
update_source,
3,
[{file,
Heres the mix file
defmodule Sputnik.MixProject do
use Mix.Project

def project do
[
app: :sputnik,
version: "0.1.0",
elixir: "~> 1.14.3",
start_permanent: Mix.env() == :prod,
deps: deps()
]
end

Run "mix help compile.app" to learn about applications.

def application do
[
extra_applications: [:logger,:kaffe],
mod: {ElixirKaffeCodealong.Application, []}
]
end

Run "mix help deps" to learn about dependencies.

defp deps do
[
{:certifi, "> 2.10"},
{:pc, "> 1.13.0"},

add to your existing deps

{:kaffe, "~> 1.9"}

]

end
end

HTTP spec allows duplicate header names so we should allow that to.

We should either document how to set up proxy (#36 (comment)) or have first-class support for setting it (either there's a contract for it or adapter-specific configuration is passed down so we can e.g. httpc:set_options() in the httpc adapter)

Ref: wojtekmach/mini_repo#8

I've narrowed it down to our custom code which makes in-memory tarball [1] (as opposed to always saving to disk like erl_tar does), so it's a matter of optimizing that or, more practical, creating temp file as before.

[1] https://github.com/hexpm/hex_erl/blob/d79a4615f947a9ce6deeeb97c3c4f9e52976be4f/src/hex_tarball.erl#L327:L348

See hexpm/hexpm#674

I noticed our caching wasn't working and discovered the need to do the quoting of the etag when building the hex core config map:

#{http_etag => <<"\"", ETag/binary, "\"">>},

I can send a patch if you're ok with this being done hex_http instead, but does it need to check and not add extra quotes or can it just assume the user will not send a quoted etag?

In #26 we made the API lower level, exposing HTTP details, and unsurprisingly we received some feedback that it's leaky: aseigo/hexagon@5991766#commitcomment-30019283 (thanks @aseigo!)

This issue is to collect more feedback and see if and how we want to tackle this.

Would it be possible to release master (e.g. 0.7.1) so as to benefit from #105? Thanks much.

See e95f648

Rebar3 sets up an httpc profile for proxy settings and such and uses it in requests. It looks like hex_core has no support for setting a profile?

I think a good option would be to just add it to the config (using default by default) and then add the argument to the request call to hex_httpc. Does that sound good?

Should it just be named http_profile in the config? Or be more specific?

Discuss the possibility of a new hex library to share command logic, such as hex.outdated, between hex, rebar3_hex, and hex related libraries and/or plugins. This requires enumerating the differences between the two as is and enumerating what's missing from rebar3_hex and other hex related libraries where it might be beneficial to share code between projects in particularly where it's the logic is a bit complicated, but also with the idea that getting new commands into plugins such as rebar3_hex in a more expedient fashion.

We have a need in rebar3_hex to report to the user what the max size allowed for a package is. There are at least 4 ways I can see to do this :

1. update hex_tarball:create/2 to return {error, {tarball, too_big, ?TARBALL_MAX_SIZE}}, ?TARBALL_MAX_UNCOMPRESSED_SIZE}}
2. hex_core could formulate an error message and return that {error, {tarball, too_big, Msg}}
3. hex_core could maybe standardize on maps as the second element in an error tuple and put messages, sizes, etc. in said map. {error, #{}}or {error, {tarball, #{}}}
4. hex_core couldhex_tarball:max_size/0 or hex_tarball:max_compressed_size/0 and hex_tarball:max_uncompressed_size/0 and consumers of hex_core would simply refer to these functions to assist in formulating a message.

It's probably easiest to just provide a function that returns a max size. I'm also wondering if we can get away with just telling the user in an error message only the compressed size (absolute max size), as it gets confusing once you start trying to explain compressed size and uncompressed size in an error message. Perhaps giving the user the uncompressed max size is more helpful vs the compressed max size.

Happy to do a PR, but figured a little discussion around this first would be proper.

https://hexdocs.pm/hex_core/index.html

https://github.com/hexpm/hex_core/blob/master/src/hex_tarball.erl#L119

Per the changes in #65 this should reference inner_checksum and outer_checksum I believe

This is really a question about responsibility. It's either the callers responsibility or hex_core's. If it's hex_core's responsibility then hex_core should set the api_key to read_key or write_key depending on the op. It's fine either way, but wanted to check before I sent up a PR.

https://github.com/hexpm/hex_core/blob/v0.2.0/src/hex_tarball.erl#L9:L15

We used to differentiate between rebar and rebar3 and we may still do on the server, so this needs double-checking.