packit 0.10.2 unable to extract dependency

[arjun024]

What happened?

See
php-dist: https://github.com/paketo-buildpacks/php-dist/runs/2354116118?check_suite_focus=true
cpython: https://github.com/paketo-community/cpython/runs/2354101672?check_suite_focus=true

Extracting the dependency leads to error with packit 0.10.2.

Reproduce error

For php-dist:

package main

import (
        "log"

        "github.com/paketo-buildpacks/packit/cargo"
        "github.com/paketo-buildpacks/packit/postal"
)

func main() {
        dep := postal.Dependency{
                URI: "https://buildpacks.cloudfoundry.org/dependencies/php/php_7.4.16_linux_x64_cflinuxfs3_87568cc8.tgz",
        }
        s := postal.NewService(cargo.NewTransport())
        err := s.Deliver(dep, "/tmp", "/tmp", "/tmp")
        if err != nil {
                log.Fatal(err)
        }
}

failed to evaluate symlink /tmp/lib/libgpg-error.so: lstat /tmp/lib/lib: no such file or directory

Checklist

• I have included log output.
• The log output includes an error message.
• I have included steps for reproduction.

[arjun024]

Looks still not able to extract dependency for php-dist. See https://github.com/paketo-buildpacks/php-dist/runs/2494636534?check_suite_focus=true (as part of paketo-buildpacks/php-dist#220)

[ForestEckhardt]

It appears that php-dist is trying to make a symlink to a file on the underlying OS that does not exist. I will do some investigating but I believe that not having a check for the file being linked to existing causes some security concerns.

[arjun024]

Tried with the branch in #173 but getting the same issue

[ForestEckhardt]

Interesting...I will have to check this out further.

[ForestEckhardt]

@arjun024 I cannot repro on the branch you specified.

[arjun024]

Not sure if it was my error in testing again, but yes works now. Thank you.

For reference, tested code copied below.

‣ cat x.go
package main

import (
        "log"

        "github.com/paketo-buildpacks/packit/cargo"
        "github.com/paketo-buildpacks/packit/postal"
)

func main() {
        dep := postal.Dependency{
                URI:    "https://buildpacks.cloudfoundry.org/dependencies/php/php_7.4.16_linux_x64_cflinuxfs3_87568cc8.tgz",
                SHA256: "87568cc88e6b429578273a2237e2c3a45830e09c5043e05a905fbce8f1b2a252",
        }
        s := postal.NewService(cargo.NewTransport())
        // create all these dirs as empty
        err := s.Deliver(dep, "/tmp/storage/cnb", "/tmp/storage/layer", "/tmp/storage/platform")
        if err != nil {
                log.Fatal(err)
        }
}

 ‣ cat go.mod
module main

go 1.16

replace github.com/paketo-buildpacks/packit => /home/ubuntu/workspace/paketo-buildpacks/packit

require github.com/paketo-buildpacks/packit v0.12.0

with local copy pointing to the topic branch.

 ‣ go run x.go

 ‣ echo $?
0

‣ ls /tmp/storage/layer/
bin  etc  include  lib  mibs  php  sbin  var

[ryanmoran]

As I've outlined in #173 (comment), this appears to be an issue with the php-dist dependency and not packit. We are packaging up a tarball that has symlink references to external file locations. Instead, the tarball should use the --dereference option when archiving so that we produce a completely portable artifact.

[ForestEckhardt]

Hopefully this will be resolved soon by cloudfoundry/binary-builder#56

[ryanmoran]

@arjun024 is this resolved?