Issue #20997 has been updated by Adrien Thebo. Status changed from Accepted to In Topic Branch Pending Review Branch set to https://github.com/puppetlabs/puppet/pull/1684
---------------------------------------- Bug #20997: `puppet module install` fails cryptically when served bad module information https://projects.puppetlabs.com/issues/20997#change-91972 * Author: Adrien Thebo * Status: In Topic Branch Pending Review * Priority: Normal * Assignee: * Category: module tool * Target version: * Affected Puppet version: 3.0.0 * Keywords: * Branch: https://github.com/puppetlabs/puppet/pull/1684 ---------------------------------------- If a Puppet module on the Forge has poorly formed metadata, querying for the module metadata can emit an extra field which breaks the Puppet module tool. For instance, an early version of [adrien/pe_upgrade](http://forge.puppetlabs.com/adrien/pe_upgrade/0.1.0) had a malformed version specifier on a module dependency, using the Ruby Gems `'>= 0'` specification instead of `'>= 0.0.0'`. When querying the module data from the forge, the following data is returned: <pre> {"adrien/pe_upgrade"=> [{"file"=>"/system/releases/a/adrien/adrien-pe_upgrade-0.4.0.tar.gz", "version"=>"0.4.0", "dependencies"=> [["nanliu/staging", "0.x"], ["puppetlabs/stdlib", ">= 2.5.1"]]}, {"file"=>"/system/releases/a/adrien/adrien-pe_upgrade-0.4.2.tar.gz", "version"=>"0.4.2", "dependencies"=> [["nanliu/staging", "0.x"], ["puppetlabs/stdlib", ">= 2.5.1"]]}], "nanliu/staging"=> [{"file"=>"/system/releases/n/nanliu/nanliu-staging-0.1.0.tar.gz", "version"=>"0.1.0", "dependencies"=>[]}, {"file"=>"/system/releases/n/nanliu/nanliu-staging-0.2.0.tar.gz", "version"=>"0.2.0", "dependencies"=>[]}, {"file"=>"/system/releases/n/nanliu/nanliu-staging-0.2.1.tar.gz", "version"=>"0.2.1", "dependencies"=>[]}, {"file"=>"/system/releases/n/nanliu/nanliu-staging-0.3.0.tar.gz", "version"=>"0.3.0", "dependencies"=>[]}], "puppetlabs/stdlib"=> [{"file"=>"/system/releases/p/puppetlabs/puppetlabs-stdlib-3.2.0.tar.gz", "version"=>"3.2.0", "dependencies"=>[]}, {"file"=>"/system/releases/p/puppetlabs/puppetlabs-stdlib-4.1.0.tar.gz", "version"=>"4.1.0", "dependencies"=>[]}], "_warnings"=> ["Dependency nanliu/staging for module adrien/pe_upgrade had invalid version range \">= 0\"", "Dependency nanliu/staging for module adrien/pe_upgrade had invalid version range \">= 0\""]} </pre> (Metadata was truncated for brevity.) When running `puppet module install adrien/pe_upgrade` this module metadata is fetched. https://github.com/puppetlabs/puppet/blob/3.0.0/lib/puppet/module_tool/shared_behaviors.rb#L34 walks over this data structure, and it assumes that each entry in the hash is a key/value pair with the key being the module name and the value being an array of metadata for each version of that module. However the `_warnings` field only contains strings, which breaks the assumption that the PMT is making. The the module tool is fetching this information it tries to fetch the version of the module (https://github.com/puppetlabs/puppet/blob/3.0.0/lib/puppet/module_tool/shared_behaviors.rb#L39). It assumes that the given value is a hash, tries to look up the version field, and if that fails then it falls back to using the SemVer `MIN` value. There are three problems here: 1. _warnings is not a module and shouldn't be treated as such when reading metadata 1. The PMT shouldn't blindly rescue errors parsing the SemVer 1. It's `SemVer::MIN`, not `SemVer.MIN` For a long time the Puppet Forge would silently swallow errors with module metadata, but on May 23 it started handling that correctly and started emitting the `_warnings` field. Any module with malformed module ### Expected behavior <pre> puppet module install adrien/pe_upgrade --version 0.4.2 Notice: Preparing to install into /home/adrien/.puppet/modules ... Notice: Downloading from https://forge.puppetlabs.com ... Notice: Installing -- do not interrupt ... Warning: Dependency nanliu/staging for module adrien/pe_upgrade had invalid version range ">= 0" Warning: Dependency nanliu/staging for module adrien/pe_upgrade had invalid version range ">= 0" /home/adrien/.puppet/modules └─┬ adrien-pe_upgrade (v0.4.2) ├── nanliu-staging (v0.3.0) └── puppetlabs-stdlib (v4.1.0) </pre> ### Actual behavior <pre> puppet module install adrien/pe_upgrade Notice: Preparing to install into /home/adrien/.puppet/modules ... Notice: Downloading from https://forge.puppetlabs.com ... Error: undefined method `MIN' for SemVer:Class Error: Try 'puppet help module install' for usage </pre> ### Workaround Installing the exact version of the faulty module works around this: <pre> puppet module install adrien/pe_upgrade --version 0.4.2 Notice: Preparing to install into /home/adrien/.puppet/modules ... Notice: Downloading from https://forge.puppetlabs.com ... Notice: Installing -- do not interrupt ... /home/adrien/.puppet/modules └─┬ adrien-pe_upgrade (v0.4.2) ├── nanliu-staging (v0.3.0) └── puppetlabs-stdlib (v4.1.0) </pre> - - - #### Bonus stage: The error message being emitted from the Forge is misleading: "Dependency nanliu/staging for module adrien/pe_upgrade had invalid version range ">= 0" 1. adrien/pe_upgrade is the one with the invalid version range, not nanliu/staging 1. the error message doesn't indicate which version of adrien/pe_upgrade has the bad version. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
