Skip Menu |

This queue is for tickets about the Moo CPAN distribution.

Report information
The Basics
Id: 119145
Status: resolved
Priority: 0/
Queue: Moo
People
Owner: Nobody in particular
Requestors: dagolden [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Dec 06 12:41:39 2016 dagolden [...] cpan.org - Ticket created
Subject: Historical removal of Method::Inliner can cause Moo installs to be downgraded
CPAN Testers reports for MongoDB revealed that CPAN code that has a dependency on Method::Inliner can cause Moo to be unexpectedly downgraded. Avoiding this would require continuing to release Method::Inliner with current Moo, releasing Method::Inliner separately so that its index no longer points at old Moo tarballs, or other CPAN index muckery. I'm pasting in a copy of email from Andreas Koenig on the subject with further context. Show quoted text
>>>>> On Thu, 1 Dec 2016 09:43:29 -0500, David Golden <xdg@xdg.me> said:
Show quoted text
> Hi, Andreas. I was looking at > http://www.cpantesters.org/cpan/report/f2afec2a-b73d-11e6-a669-094ac671d6e6 and > there seems to be a transitive dependency failure.
Show quoted text
> MongoDB requires the BSON distribution (via BSON::Types and > BSON::Decimal128). BSON requires Moo 2.002004, but this is not > satisfied and only Moo 2.001001 is installed.
Show quoted text
> Could you please look into what happened?
When BSON::Decimal128 was installed we had already Moo 2.002005 installed: # Module Want Have # ---------------- -------- --------- # [...] # Moo 2.002004 2.002005 and all was good. But before we turned to MongoDB again, JABRA/MetasploitExpress-Parser-0.02.tar.gz got in the way and that has a dependency on Method::Inliner. And look what the indexer tells us: cpan[3]> m Method::Inliner Module id = Method::Inliner CPAN_USERID HAARG (Graham Knop <haarg@cpan.org>) CPAN_VERSION undef CPAN_FILE H/HA/HAARG/Moo-2.001001.tar.gz UPLOAD_DATE 2016-03-04 INST_FILE /home/sand/src/perl/repoperls/installed-perls/host/k93x64sid/v5.25.7/f878/lib/site_perl/5.25.7/Method/Inliner.pm INST_VERSION undef So we downgraded Moo to 2.001001, and when MongoDB's turn finally came, we had exactly that instead of the 2.002005. Options: - delete Moo-2.001001 and inform all maintainers to find a replacement for Method::Inliner - revive Method::Inliner somewhere else, so it cannot cause downgrades of Moo - add dependency on Moo to MongoDB - other?
  Tue Dec 06 13:50:46 2016 ether [...] cpan.org - Correspondence added
Method::Inliner is indeed indexed to a previous release of Moo, which should be deleted from cpan: Method::Inliner undef H/HA/HAARG/Moo-2.001001.tar.gz see http://cpanold.chorny.net/?a=HAARG
  Tue Dec 06 13:50:48 2016 The RT System itself - Status changed from 'new' to 'open'
  Tue Dec 06 14:11:21 2016 haarg [...] haarg.org - Correspondence added
I can get Method::Inliner unindexed, but the explanation here doesn't seem accurate. JABRA/MetasploitExpress-Parser-0.02.tar.gz doesn't have a dependency on Method::Inliner. Nothing I can find on CPAN has a dependency on Method::Inliner.
  Tue Dec 06 16:16:13 2016 dagolden [...] cpan.org - Correspondence added
RT-Send-CC: ANDK [...] cpan.org
On Tue Dec 06 14:11:21 2016, haarg wrote: Show quoted text
> I can get Method::Inliner unindexed, but the explanation here doesn't > seem accurate. JABRA/MetasploitExpress-Parser-0.02.tar.gz doesn't > have a dependency on Method::Inliner. Nothing I can find on CPAN has > a dependency on Method::Inliner.
I've CC'd Andreas in the hopes that he can clarify.
  Wed Dec 07 02:49:15 2016 andreas.koenig.7os6VVqR [...] franz.ak.mind.de - Correspondence added
CC: ANDK [...] cpan.org
Subject: Re: [rt.cpan.org #119145] Historical removal of Method::Inliner can cause Moo installs to be downgraded
Date: Wed, 07 Dec 2016 08:48:56 +0100
To: "David Golden via RT" <bug-Moo [...] rt.cpan.org>
From: Andreas Koenig <andreas.koenig.7os6VVqR [...] franz.ak.mind.de>
Show quoted text
>>>>> On Tue, 6 Dec 2016 16:16:20 -0500, "David Golden via RT" <bug-Moo@rt.cpan.org> said:
Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=119145 > > On Tue Dec 06 14:11:21 2016, haarg wrote:
>> I can get Method::Inliner unindexed, but the explanation here doesn't >> seem accurate. JABRA/MetasploitExpress-Parser-0.02.tar.gz doesn't >> have a dependency on Method::Inliner. Nothing I can find on CPAN has >> a dependency on Method::Inliner.
Show quoted text
> I've CC'd Andreas in the hopes that he can clarify.
Darn, then I misunderstood the output of the cpan shell. So it was not MetasploitExpress-Parser-0.02 but only my own Bundle file. I have meanwhile removed Method::Inliner from my bundle file and so we can hope this will not surface again. Sorry for the wrong diagnosis. I can see it now, that it was pure coincidence that the cpan shell tried Method::Inliner after MetasploitExpress-Parser:( -- andreas
  Mon Mar 06 05:04:09 2017 haarg [...] haarg.org - Correspondence added
I've reset the Method::Inliner version number on CPAN, so nothing should ever try to downgrade Moo based on versions. Considering this resolved.
  Mon Mar 06 05:04:22 2017 haarg [...] haarg.org - Status changed from 'open' to 'resolved'