Alternate version matching with string rather than int to handle 0-prefixed numbers (failed ghostscript version check since version 10.01.0)

Question

Alternate version matching with string rather than int to handle 0-prefixed numbers (failed ghostscript version check since version 10.01.0)

Opened this issue 2 years ago · 4 comments

The version checker started to fail for Ghostscript, after release of version 10.01.0. We use the anitya x-data-checker's type (though this issue might happen with other data checkers, I haven't verified) and here is our current manifest code for GIMP:

                    "x-checker-data": {
                        "type": "anitya",
                        "project-id": 1157,
                        "stable-only": true,
                        "url-template": "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$major$minor$patch/ghostscript-$version.tar.gz"
                    }

Finally here is an example of failed build log error because of the version check:

ERROR   src.manifest: Failed to check archive ghostscript/ghostscript-10.01.0.tar.xz with AnityaChecker: Error downloading upstream source: 404, message='Not Found', url=URL('https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs1010/ghostscript-10.01.0.tar.gz')

The right URL is: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10010/ghostscript-10.01.0.tar.gz

Basically it seems that the substitution code replaces $minor by 1 while the exact scheme for ghostscript apparently expects 01 (i.e. taking the version number as a string as-is, keeping the leading 0, rather than an int), which very likely means that there is a roundtrip to int type.

Though it might be the used scheme in some cases, in others (e.g. for ghostscript), it's not. So we'd need alternative substitution variables to handle such case.

Also do you know if there is a workaround for now (other than removing the version check for this module)? Because right now all builds fail on Flathub because of this.

Answer 1 · 2023-03-23T09:36:57.000Z

P.S.: checking the code, looking if such alternate variables already exist, I clearly see the problem:

from distutils.version import LooseVersion
[…]
        version_list = LooseVersion(version).version
[…]
        for i, version_part in enumerate(version_list):

And checking how this module works, testing in a console:

In [4]: l = LooseVersion("10.01.0")

In [5]: l.version
Out[5]: [10, 1, 0]

So in version_list, the leading zeros are already lost.

Answer 2 · 2023-03-23T10:07:26.000Z

You can use the json checker as a workaround. Try:

"x-checker-data": {
    "type": "json",
    "url": "https://api.github.com/repos/ArtifexSoftware/ghostpdl-downloads/releases/latest",
    "version-query": ".name | split(\" \") | .[1]",
    "url-query": ".assets[] | select(.name|test(\"^ghostscript-(.*).tar.gz$\")) | .browser_download_url"
}

Answer 3 · 2023-03-23T10:56:54.000Z

Thanks. Works fine!

Answer 4 · 2023-03-28T14:55:07.000Z

f-strings are not an option for untrusted input, since it would open up a very simple way to ACE. But maybe there is another library that can be used for string template (something like jinja2 but simpler)?