-
-
Notifications
You must be signed in to change notification settings - Fork 928
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kombu 4.2.2 PyPi package does not match GitHub release/tag changelog #966
Comments
Confirmed. I ran git reset --hard v4.2.2 &&
curl https://files.pythonhosted.org/packages/52/29/2c4e26fb944327f7043361243c46a141b62d34d55bdb5bbef5438c7dcff0/kombu-4.2.2.tar.gz |
tar --strip-components=1 -xvzpf- to get the full difference. There are a lot of differences between what's tagged as v4.2.2 in this repo and what's released in the tar.gz on pypi. |
@thedrow @auvipy @georgepsarakis please take note |
met the same issue with 4.2.2 |
I am very very sorry. I didn't have the time to deal with this. @atiking If you think so, please open an issue or a PR and explain why that's the case. |
I released 4.2.2post1. |
Was it intentional for 4.2.2.post1 to replace 4.2.2? It looks like 4.2.2 has completely disappeared off pypi https://pypi.org/project/kombu/#history |
@arlaneenalra from a few messages up above: "I'm going to yank the wheel and tarball and release a new one." and the justification: "It contained code which should not have been released and causes errors in production." |
I guess 4.2.2 could have stayed there in PyPI, along with post1. We had it in dependencies (don't know if it was actually being used, though) and stuff was working. Dropping the version made our build fail. Got a bit stressed when I had to update it with poetry when it's not a first-level dependency :) But |
I'd rather not have broken dependencies available as it will simply create more bug reports which we don't have time to handle. |
I appreciate taking the action to fix it, just .. well... deleting an already released version instead of of just bumping the version and releasing a newer one is a bit of a pain on the receiving end.
The alternative is also likely to cause bug reports from people asking "where has the release gone?" |
I guess that there are no good answers here. |
@thedrow @weakcamel I think that this was the best possible choice after the bad release. Leaving known breaking code out in the wild is definitely worse than making people pop a second update. However, the only advice I have for the future would be to include something in the changelog or release on github (or both) indicating why there was a second release done, since that would, assuming people read them, give people the answer and avoid more issues being opened. |
Noted, I'll do so tomorrow. |
Great!
@ntravis True, if something went really, really horribly wrong, the last resort of removing the release might be a way out. I'm just not sure if this case was serious enough (it'd be easy to recover from by upgrade of the dependency, it didn't crash OS, it didn't delete anything - just wasn't exactly what it said on the tin) to warrant that. But that's my personal opinion and I can see why other's view might differ.
@thedrow Oh, well - mistakes will always happen, that's only natural. What's appreciated is the effort to remediate that - and kudos for that! :-) |
For whatever my opinion is worth, I think as long as pypi doesn’t offer a way to mark a release as “BAD”, removing that release is the least of evils. |
I have no issues with how this was handled. Things happen. Thanks for your hard work ❤️ We had no issues with the missing dependency but when our auto scaler decided to add a new instance, the build failed because of the missing 4.2.2 version and took our whole (admittedly tiny and unstable) production environment down with it. My personal opinion is that once you've released something, it should stay released. People end up relying on it sooner than you know and the bugs may not affect them. This breaks things that were actually working. I'm only saying this to provide context. In the end it's your decision and we're all benefiting from your work for free, so thanks again. |
Relevant to that comment, I will link this ticket to pypi/warehouse#345 |
This patch fixes an issue with a dependency that was removed from PyPI. More information is available here: celery/kombu#966.
Version 4.2.2 was removed because a bad packaging issue celery/kombu#966
Version 4.2.2 was removed because of a packaging issue celery/kombu#966
It seems the kombu-4.2.2 package that was released (and found here https://pypi.org/project/kombu/#files) does not actually reflect the v4.2.2 tag/release on GitHub. It appears instead to be built from
master
.Compare the above with
compression.py
on v4.2.2.We found this by chance when running on a Python installation without bz2 available.
The text was updated successfully, but these errors were encountered: