Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn pack produces slightly different .tgz files on different operating systems #2774

Open
borekb opened this issue Apr 19, 2021 · 7 comments
Open

yarn pack produces slightly different .tgz files on different operating systems #2774

borekb opened this issue Apr 19, 2021 · 7 comments
Labels
bug Something isn't working upholded Real issues without formal reproduction

Comments

@borekb
Copy link
Contributor

borekb commented Apr 19, 2021

Creating an issue from this Discord chat.

Describe the bug

Running yarn pack produces slightly different archive (.tgz file) depending on the OS. For example, this is macOS vs. Windows:

Screen Shot 2021-04-19 at 14 50 25

It comes down to the OS header, as described in RFC1952.

To Reproduce

  1. Run yarn pack on e.g. macOS.
  2. Run yarn pack on e.g. Windows.
  3. Compare the files.

Environment if relevant (please complete the following information):

  • OS: combination of OS's, tested on macOS and Windows.
  • Node version: 12 & 14
  • Yarn version: 2.4.1

Additional context

Discord chat.

Search terms: operating system, OS, Windows, Linux, macOS, Mac, yarn pack, tarball, archive, TGZ, GZIP, ZIP.
@borekb borekb added the bug Something isn't working label Apr 19, 2021
@paul-soporan paul-soporan added the upholded Real issues without formal reproduction label Apr 19, 2021
@arcanis
Copy link
Member

arcanis commented Apr 19, 2021

It turns out Node encodes the operating system when compressing things with the native zlib, so different systems will have different checksums. Fortunately it hasn't been a problem with the cache because we now use zip w/ a wasm version of the zlib (thus guaranteeing determinism), but yarn pack uses node-tar, which uses the native primitive for compression.

Unfortunately Node doesn't expose options to control this behaviour and, even if they did, it probably wouldn't be enough: parallelism may cause other deltas during compression, and there would be no way to control that either. The right fix would probably be to use the wasm zlib for compression (thankfully performances for yarn pack aren't a huge concern since it's only uncommonly used), but it's a bit of work 🤔

@borekb
Copy link
Contributor Author

borekb commented Apr 19, 2021

Does npm pack suffer from the same issue or do they avoid it somehow? (I don't have a good way to test it right now, sorry.)

@arcanis
Copy link
Member

arcanis commented Apr 19, 2021

Me neither 😄 I suspect they do; I remember someone mentioning other inconsistent checksum issues on pack when adding npm-powered packages as dependencies, a fews months ago. Perhaps it was this.

@mpetrunic
Copy link

It would seem this is causing checksum mismatch bugs when installing git dependencies as they get packed instead of used as it so it's pretty severe as it's causing everyone to ignore or update checksum mismatches.

@AndreKR
Copy link

AndreKR commented Aug 9, 2022
edited
Loading

Yeah, that's the workaround. I have a git dependency ("package": "git+ssh://[email protected]/foo/bar.git") in my package.json and if I run yarn install on Windows and commit yarn.lock then I have to run the CI (runs on Linux) with YARN_CHECKSUM_BEHAVIOR=ignore otherwise I get The remote archive doesn't match the expected checksum.

@purge purge mentioned this issue Aug 11, 2022
Closed
1 task
@ziad-saab ziad-saab mentioned this issue Sep 15, 2022
Closed
@symwell symwell mentioned this issue Dec 19, 2022
Closed
@0xCourtney 0xCourtney mentioned this issue Mar 13, 2023
Open
1 task
@KholdStare
Copy link

Any updates? We're being bit by issue #5136, which is a result of this issue.

chadlwilson added a commit to gocd/gocd that referenced this issue Aug 3, 2023
@chadlwilson
Workaround yarn hash/checksum WIndows mismatches
ff40487 
With Yarn 3 there seem to be hash/checksum mismatches for the vendor libraries (opensans, angular 1.0.8) that are stored locally, presumably some issue with the git or file system permissions.

Lowish risk as we don't produce official builds from Windows agents, and it's not such a common setup. Additionally, --immutable wasn't used with Yarn 1, so this is still a step forward.

Perhaps related to yarnpkg/berry#5136 or yarnpkg/berry#4598 or yarnpkg/berry#2774
@arcanis arcanis mentioned this issue Oct 18, 2023
Closed
1 task
@Diggsey Diggsey mentioned this issue Jan 25, 2024
Open
1 task
@raguiar9080 raguiar9080 mentioned this issue Jun 13, 2024
Merged
@alexanderkjeldaas
Copy link

alexanderkjeldaas commented Aug 12, 2024
edited
Loading

This is making it impossible to create deterministic results with yarn pack. Is there a workaround? Does npm have the same issue?

@mpetrowi mpetrowi mentioned this issue Aug 15, 2024
Open
This was referenced Sep 24, 2024
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working upholded Real issues without formal reproduction
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@borekb @alexanderkjeldaas @KholdStare @arcanis @AndreKR @mpetrunic @paul-soporan