fix(verify-source): Detect published-at = 0x0 #18978
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
3 Skipped Deployments
|
This was referenced Aug 13, 2024
Comment on lines
+144
to
+147
| let published_id_in_manifest = manifest_published_at(package); | ||
|
|
||
| match published_id_in_manifest { | ||
| Ok(_) | Err(PublishedAtError::NotPresent) => { /* nop */ } |
There was a problem hiding this comment.
I feel like this manifest_published_at should be a different function, that checks if it is present or not. Somehow (as I don't know this code at all), it gets confusing that if the function's result is Ok, an error is returned.
stefan-mysten
approved these changes
Aug 13, 2024
Yes, covered by tests further up the stack -- this is actually how I noticed the issue. |
## Description Move logic for dealing with toolchain versioning into its own module. ## Test plan ``` sui-source-validation$ cargo nextest run ```
## Description Detect when the `published-at` field in `Move.toml` or `Move.lock` has been explicitly set to `0x0` and treat that as if it was not set at all. This is not commonly done by people, but it happens in our test set-up. This also required converting the field into an `ObjectID` earlier in the pipeline, which introduced some further changes in the codebase. ## Test plan ``` sui-source-validation$ cargo nextest run ```
amnn
force-pushed
the
amnn/src-verify-0x0
branch
from
98316ef
to
97cf57e
Compare
amnn
force-pushed
the
amnn/src-verify-tool
branch
from
5451e5a
to
d23cdfa
Compare
amnn
added a commit
that referenced
this pull request
Aug 14, 2024
## Description Fix a bug where publish test transactions always refer to their dependencies at their original IDs. This breaks publishing test packages that depend on upgraded packages. ## Test plan CI -- existing tests using TestTransactionBuilder should still pass. ## Stack - #18956 - #18959 - #18978 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [ ] CLI: - [ ] Rust SDK: - [ ] REST API:
amnn
added a commit
that referenced
this pull request
Aug 14, 2024
## Description Fix a bug in tests that publish packages where the publish transaction was always constructed referring to dependencies at their original IDs, and not their storage IDs. This has not caused a problem to date, meaning these tests may not publish a package that depends on an upgrade package, but to avoid confusion `get_dependency_original_package_ids` has been replaced with `get_dependency_storage_package_ids`. Similarly, `get_package_dependencies_hex` has been replaced with an invocation of `get_dependency_storage_package_ids`. ## Test plan CI +: ``` sui$ cargo build --bin sui sui$ cd tmp sui$ ~/sui/target/debug/sui move new test sui$ # make it possible to compile sui$ ~/sui/target/debug/ui move build --dump-bytecode-as-base64 ``` ## Stack - #18956 - #18959 - #18978 - #18960 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [ ] CLI: - [ ] Rust SDK: - [ ] REST API:
amnn
added a commit
that referenced
this pull request
Aug 14, 2024
## Description Source validation additionally checks that dependencies in the linkage table of the on-chain package match the published dependencies from the source package. Previously it was possible to construct a scenario where source verification would succeed even though a package's representation on-chain did not exactly match, because one of the dependencies mismatched on version but between two versions that were themselves identical. ## Test plan New tests exercising the scenario mentioned above: ``` sui-source-validation$ cargo nextest run -- linkage_differs ``` ## Stack - #18956 - #18959 - #18978 - #18960 - #18962 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [x] CLI: `sui client verify-source` now also confirms a package's linkage table matches its source dependencies. - [ ] Rust SDK: - [ ] REST API:
amnn
added a commit
that referenced
this pull request
Aug 15, 2024
## Description Detect when the `published-at` field in `Move.toml` or `Move.lock` has been explicitly set to `0x0` and treat that as if it was not set at all. This is not commonly done by people, but it happens in our test set-up. This also required converting the field into an `ObjectID` earlier in the pipeline, which introduced some further changes in the codebase. ## Test plan ``` sui-source-validation$ cargo nextest run ``` ## Stack - #18956 - #18959 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [x] CLI: Explicitly setting `published-at = "0x0"` is treated as if the `published-at` field was omitted. - [ ] Rust SDK: - [ ] REST API:
amnn
added a commit
that referenced
this pull request
Aug 15, 2024
## Description Fix a bug where publish test transactions always refer to their dependencies at their original IDs. This breaks publishing test packages that depend on upgraded packages. ## Test plan CI -- existing tests using TestTransactionBuilder should still pass. ## Stack - #18956 - #18959 - #18978 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [ ] CLI: - [ ] Rust SDK: - [ ] REST API:
amnn
added a commit
that referenced
this pull request
Aug 15, 2024
## Description Fix a bug in tests that publish packages where the publish transaction was always constructed referring to dependencies at their original IDs, and not their storage IDs. This has not caused a problem to date, meaning these tests may not publish a package that depends on an upgrade package, but to avoid confusion `get_dependency_original_package_ids` has been replaced with `get_dependency_storage_package_ids`. Similarly, `get_package_dependencies_hex` has been replaced with an invocation of `get_dependency_storage_package_ids`. ## Test plan CI +: ``` sui$ cargo build --bin sui sui$ cd tmp sui$ ~/sui/target/debug/sui move new test sui$ # make it possible to compile sui$ ~/sui/target/debug/ui move build --dump-bytecode-as-base64 ``` ## Stack - #18956 - #18959 - #18978 - #18960 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [ ] CLI: - [ ] Rust SDK: - [ ] REST API:
amnn
added a commit
that referenced
this pull request
Aug 15, 2024
## Description Source validation additionally checks that dependencies in the linkage table of the on-chain package match the published dependencies from the source package. Previously it was possible to construct a scenario where source verification would succeed even though a package's representation on-chain did not exactly match, because one of the dependencies mismatched on version but between two versions that were themselves identical. ## Test plan New tests exercising the scenario mentioned above: ``` sui-source-validation$ cargo nextest run -- linkage_differs ``` ## Stack - #18956 - #18959 - #18978 - #18960 - #18962 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [x] CLI: `sui client verify-source` now also confirms a package's linkage table matches its source dependencies. - [ ] Rust SDK: - [ ] REST API:
suiwombat
pushed a commit
that referenced
this pull request
Sep 16, 2024
## Description Detect when the `published-at` field in `Move.toml` or `Move.lock` has been explicitly set to `0x0` and treat that as if it was not set at all. This is not commonly done by people, but it happens in our test set-up. This also required converting the field into an `ObjectID` earlier in the pipeline, which introduced some further changes in the codebase. ## Test plan ``` sui-source-validation$ cargo nextest run ``` ## Stack - #18956 - #18959 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [x] CLI: Explicitly setting `published-at = "0x0"` is treated as if the `published-at` field was omitted. - [ ] Rust SDK: - [ ] REST API:
suiwombat
pushed a commit
that referenced
this pull request
Sep 16, 2024
## Description Fix a bug where publish test transactions always refer to their dependencies at their original IDs. This breaks publishing test packages that depend on upgraded packages. ## Test plan CI -- existing tests using TestTransactionBuilder should still pass. ## Stack - #18956 - #18959 - #18978 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [ ] CLI: - [ ] Rust SDK: - [ ] REST API:
suiwombat
pushed a commit
that referenced
this pull request
Sep 16, 2024
## Description Fix a bug in tests that publish packages where the publish transaction was always constructed referring to dependencies at their original IDs, and not their storage IDs. This has not caused a problem to date, meaning these tests may not publish a package that depends on an upgrade package, but to avoid confusion `get_dependency_original_package_ids` has been replaced with `get_dependency_storage_package_ids`. Similarly, `get_package_dependencies_hex` has been replaced with an invocation of `get_dependency_storage_package_ids`. ## Test plan CI +: ``` sui$ cargo build --bin sui sui$ cd tmp sui$ ~/sui/target/debug/sui move new test sui$ # make it possible to compile sui$ ~/sui/target/debug/ui move build --dump-bytecode-as-base64 ``` ## Stack - #18956 - #18959 - #18978 - #18960 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [ ] CLI: - [ ] Rust SDK: - [ ] REST API:
suiwombat
pushed a commit
that referenced
this pull request
Sep 16, 2024
## Description Source validation additionally checks that dependencies in the linkage table of the on-chain package match the published dependencies from the source package. Previously it was possible to construct a scenario where source verification would succeed even though a package's representation on-chain did not exactly match, because one of the dependencies mismatched on version but between two versions that were themselves identical. ## Test plan New tests exercising the scenario mentioned above: ``` sui-source-validation$ cargo nextest run -- linkage_differs ``` ## Stack - #18956 - #18959 - #18978 - #18960 - #18962 --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] Indexer: - [ ] JSON-RPC: - [ ] GraphQL: - [x] CLI: `sui client verify-source` now also confirms a package's linkage table matches its source dependencies. - [ ] Rust SDK: - [ ] REST API:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Detect when the
published-atfield inMove.tomlorMove.lockhas been explicitly set to0x0and treat that as if it was not set at all.This is not commonly done by people, but it happens in our test set-up.
This also required converting the field into an
ObjectIDearlier in the pipeline, which introduced some further changes in the codebase.Test plan
Stack
Release notes
Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required.
For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates.
published-at = "0x0"is treated as if thepublished-atfield was omitted.