Prevent corruption of tar packages when downloading from registry

Author: f-f

flake.lock

@@ -281,7 +281,7 @@
     },
     "package_set": {
       "address": {
-        "registry": "75.0.0"
+        "registry": "75.3.0"
       },
       "compiler": ">=0.15.15 <0.16.0",
       "content": {
@@ -354,6 +354,7 @@
         "codec-argonaut": "10.0.0",
         "codec-json": "2.0.0",
         "colors": "7.0.1",
+        "compile-fail": "0.4.0",
         "concur-core": "0.5.0",
         "concur-react": "0.5.0",
         "concurrent-queues": "3.0.0",
@@ -492,10 +493,10 @@
         "hylograph-canvas": "0.1.0",
         "hylograph-d3-kernel": "0.1.0",
         "hylograph-graph": "0.2.0",
-        "hylograph-layout": "0.2.0",
-        "hylograph-music": "0.1.0",
+        "hylograph-layout": "0.2.1",
+        "hylograph-music": "0.2.0",
         "hylograph-optics": "0.1.0",
-        "hylograph-selection": "0.1.1",
+        "hylograph-selection": "0.3.4",
         "hylograph-simulation": "0.3.0",
         "hylograph-simulation-core": "0.1.0",
         "hylograph-simulation-halogen": "0.3.0",
@@ -546,6 +547,7 @@
         "leveldb": "1.0.1",
         "liminal": "1.0.1",
         "linalg": "6.0.0",
+        "linear": "0.1.0",
         "lists": "7.0.0",
         "literals": "1.0.2",
         "logging": "3.0.0",
@@ -727,6 +729,7 @@
         "semirings": "7.0.0",
         "shuffle": "2.0.0",
         "sigil": "0.3.0",
+        "sigil-hats": "0.2.0",
         "signal": "13.0.0",
         "simple-emitter": "3.0.1",
         "simple-i18n": "2.0.1",
@@ -740,7 +743,7 @@
         "soundfonts": "4.1.0",
         "sparse-matrices": "2.0.1",
         "sparse-polynomials": "3.0.1",
-        "spec": "8.1.1",
+        "spec": "8.1.2",
         "spec-discovery": "8.4.1",
         "spec-mocha": "5.1.1",
         "spec-node": "0.0.3",
@@ -880,7 +883,7 @@
         "yoga-dynamodb": "0.1.1",
         "yoga-elasticsearch": "0.1.1",
         "yoga-fastify": "0.5.1",
-        "yoga-fastify-om": "0.4.1",
+        "yoga-fastify-om": "0.4.4",
         "yoga-fetch": "1.0.1",
         "yoga-fetch-om": "0.6.2",
         "yoga-http-api": "0.3.1",
@@ -892,7 +895,7 @@
         "yoga-om-layer": "2.0.0",
         "yoga-om-strom": "0.4.2",
         "yoga-om-workerbees": "0.1.2",
-        "yoga-opentelemetry": "0.1.1",
+        "yoga-opentelemetry": "0.2.0",
         "yoga-options": "0.1.1",
         "yoga-pino": "0.1.1",
         "yoga-postgres": "6.0.0",
@@ -1004,10 +1007,6 @@
           "ordered-collections",
           "prelude"
         ]
-      },
-      "spec": {
-        "git": "https://github.com/purescript-spec/purescript-spec.git",
-        "ref": "2f8c7fd6ee04041d947f4629248695ac667257e1"
       }
     }
   },
@@ -1354,15 +1353,6 @@
         "tuples"
       ]
     },
-    "debug": {
-      "type": "registry",
-      "version": "6.0.2",
-      "integrity": "sha256-d/EzRm/J2JyzvlIeo2Ex78Y7HRB0IXBitnVJywL4gHk=",
-      "dependencies": [
-        "functions",
-        "prelude"
-      ]
-    },
     "distributive": {
       "type": "registry",
       "version": "6.0.0",
@@ -2845,9 +2835,9 @@
       ]
     },
     "spec": {
-      "type": "git",
-      "url": "https://github.com/purescript-spec/purescript-spec.git",
-      "rev": "2f8c7fd6ee04041d947f4629248695ac667257e1",
+      "type": "registry",
+      "version": "8.1.2",
+      "integrity": "sha256-klPPJ6lBQI1CGOAdLJ+ZoGRt8XZippkTKjn53BrSkL0=",
       "dependencies": [
         "aff",
         "ansi",
@@ -2856,7 +2846,6 @@
         "bifunctors",
         "control",
         "datetime",
-        "debug",
         "effect",
         "either",
         "exceptions",

spago.lock

@@ -84,7 +84,7 @@ package:
       - spec-node
 workspace:
   packageSet:
-    registry: 75.0.0
+    registry: 75.3.0
   extraPackages:
     registry-lib:
       git: https://github.com/purescript/registry-dev.git
@@ -162,7 +162,3 @@ workspace:
       git: https://github.com/klntsky/purescript-search-trie.git
       ref: e7f7f22486a1dba22171ec885dbc2149dc815119
     json-codecs: 4.0.0
-    spec:
-      git: https://github.com/purescript-spec/purescript-spec.git
-      ref: 2f8c7fd6ee04041d947f4629248695ac667257e1
-

spago.yaml

@@ -342,8 +342,12 @@ fetchPackagesToLocalCache packages = do
                     unless (archiveSha == versionMetadata.hash) do
                       die $ "Archive fetched for " <> packageVersion <> " has a different hash (" <> Sha256.print archiveSha <> ") than expected (" <> Sha256.print versionMetadata.hash <> ")"
                     -- if everything's alright we stash the tar in the global cache
+                    -- Write to a temp file then atomically rename, so parallel processes
+                    -- don't corrupt the archive by writing to the same path simultaneously.
+                    let tempArchivePath = globalCachePackagePath </> (versionString <> ".tar.gz." <> Path.basename tempDir)
                     logDebug $ "Fetched archive for " <> packageVersion <> ", saving it in the global cache: " <> Path.quote archivePath
-                    FS.writeFile archivePath archiveBuffer
+                    FS.writeFile tempArchivePath archiveBuffer
+                    FS.moveSync { src: tempArchivePath, dst: archivePath }
                     logDebug $ "Unpacking archive to temp folder: " <> Path.quote tempDir
                     (liftEffect $ Tar.extract { filename: archivePath, cwd: tempDir }) >>= case _ of
                       Right _ -> pure unit

src/Spago/Command/Fetch.purs

@@ -34,6 +34,7 @@ import Data.String.Extra (levenshtein)
 import Data.Traversable (class Traversable)
 import Effect.Aff as Aff
 import Effect.Now as Now
+import Effect.Random as Random
 import JSON (JSON)
 import JSON as JSON
 import Node.Buffer as Buffer
@@ -175,7 +176,8 @@ mkTemp' maybeSuffix = liftAff do
   -- Get a random string
   (HexString random) <- liftEffect do
     now <- Now.now
-    sha <- Sha256.hashString $ show now <> fromMaybe "" maybeSuffix
+    rand <- Random.random
+    sha <- Sha256.hashString $ show now <> show rand <> fromMaybe "" maybeSuffix
     shaToHex sha
   -- Return the dir, but don't make it - that's the responsibility of the client
   let tempDirPath = Paths.paths.temp </> String.drop 56 random