owned this note
owned this note
Published
Linked with GitHub
---
tags: [post-mortem]
---
# 2022-05 release incident of conda 4.13.0/conda-build 3.21.{8,9}
Authors: Jannis Leidel (@jezdez, Anaconda), Mark Harfouche(@hmaarrfk)
Between May 26 and May 31, users of conda-build and conda version 4.13.0 may have experienced errors when attempting to build new packages. The most visible effect of this incident was the spurious failures of conda-forge's build infrastructure on windows. The issue has now been resolved with the release of conda-build version 3.21.9. In this brief, we describe the technical details in hopes avoiding such widespread incidences in the future.
## Incident
The new [conda 4.13.0 release](https://github.com/conda/conda/releases/tag/4.13.0) removed a lot of legacy Python support code, mostly related to Python 2.7 which has not been supported for a while.
This change was done over a [number of commits](https://github.com/conda/conda/pull/11364) and reviewed closely to reduce the fallout.
Despite checking the conda-build code base thoroughly for imports of the removed code in conda, an inline import for the `conda.common.compat.itervalues` function [slipped through the cracks](https://github.com/conda/conda-build/blob/1ed8da062f123e1fbca604df26b064b267a3d094/conda_build/utils.py#L2085).
A few isolated things that happened:
- The code path with the broken import was NOT successfully triggered as part of the conda or conda-build continuous integration.
- The conda 4.13.0 release landed on defaults first, just before a long weekend, without a conda-forge release yet.
- The feedstock maintenance tool conda-smithy (heavily used by conda-forge feedstocks) used flexible channel priority and mixed channels (defaults and conda-forge).
- Incompatible flags between conda & mamba completely breaking mamba (silent exit) which made debugging reports against mamba particularly hard.
- Repodata patching was needed to restrict to previous conda, but mamba continues to respect an unpatched `repodata_record.json`.
As a result, the incident cascaded into the conda-forge community where it was first discovered (among many others) when Numpy tried to build a new version. The Numpy release process got the conda 4.13.0 release from defaults, without prior code review/testing through the regular conda-forge workflow, which is their preferred stack.
It stands to reason that conda-forge's build system (e.g. the conda feedstock) also wouldn't have caught the conda-build bug, even if conda 4.13.0 would have been released there first.
## Mitigation
1. Fix the underlying import error in https://github.com/conda/conda-build/pull/4482
2. Patching repodata for defaults and conda-forge so that older versions of conda-build don’t unexpectedly break with conda 4.13.0 (remains in place)
3. Patch conda-build 3.21.8 in conda-forge with bugfix
4. Releasing conda-build 3.21.9 with the bugfix
5. Build conda-build 3.21.9 to defaults and conda-forge
7. Updating conda-smithy to use strict channel priorities
8. Released mamba 0.24.0 and micromamba 0.24.0 that fixes incompatibilities with conda
## Recommendations
- conda and conda-build **releases in tandem** to reduce time window for potential cascading incidents
- strict, easy to understand **version compatibility** between conda and conda-build
- **continuously pay down tech debt** for conda and friends (in contrast to huge code removals) to reduce surface area for compatibility issues
- new regular and predictable **release process** (also see CEP drafts for: [release schedule](https://github.com/conda-incubator/ceps/pull/26), [conda version](https://github.com/conda-incubator/ceps/pull/25) and [deprecation policy](https://github.com/conda-incubator/ceps/pull/27))
- release coordination of conda and conda-build (and mamba?) for both defaults AND conda-forge (**new cross-organizational conda release team**, led by rotating release manager)
- **new nightly integration testing** between conda, conda-build and mamba canary releases to catch bugs earlier
- **strict channel policy for conda community channels** to reduce fallout on maintainers
- reenable tests in conda and conda-build feedstock to **increase test coverage during builds**
## Timeline <small>(UTC)</small>
| Date | Time | Action | Link |
| -----| ---- | ------ | ---- |
| 2022-05-19 | 16:57 | conda 4.13.0 tagged on Github, https://github.com/conda/conda/releases/tag/4.13.0 |
| 2022-05-19 | 17:02 | conda 4.13.0 feedstock PR opened, https://github.com/AnacondaRecipes/conda-feedstock/pull/6 |
| 2022-05-19 | 17:06 | conda 4.13.0 package build requested for defaults internally at Anaconda | |
| 2022-05-19 | 23:18 | conda 4.13.0 autotick-bot opens PR for conda-forge, https://github.com/conda-forge/conda-feedstock/pull/165 |
…
| 2022-05-26 | 17:07 | Anaconda-internal status request for conda 4.13.0 package build | |
| 2022-05-26 | 23:09 | conda 4.13.0 released on defaults | |
…
| 2022-05-27 | 01:09 | Bug filed in conda-build regarding a regression following the removal of Python 2.7 specific code in conda which was used in conda-build, https://github.com/conda/conda-build/issues/4481 |
| 2022-05-27 | 02:08 | Bugfix PR opened, https://github.com/conda/conda-build/pull/4482 |
| 2022-05-27 | 06:15 | Numpy feedstock maintainers on conda-forge try to build new version, blocked by conda-build bug, https://github.com/conda-forge/numpy-feedstock/pull/272 |
| 2022-05-27 | 06:47 | Bugfix filed in conda-forge feedstock by Numpy maintainers, https://github.com/conda-forge/conda-build-feedstock/pull/176 |
| 2022-05-27 | 08:17 | Bug filed in conda-forge repo for cascading install issue https://github.com/conda-forge/conda-forge.github.io/issues/1762) finding that due to a channel | priority |
| 2022-05-27 | 14:09 | Bugfix PR approved, https://github.com/conda/conda-build/pull/4482 |
| 2022-05-27 | 14:36 | Bugfix filed in conda-forge feedstock, https://github.com/conda-forge/conda-build-feedstock/pull/176 |
| 2022-05-27 | 15:54 | Bugfix PR merged, https://github.com/conda/conda-build/pull/4482 |
| 2022-05-27 | 16:19 | conda-build release PR opened https://github.com/conda/conda-build/pull/4483) and draft release created |
| 2022-05-27 | 17:04 | Repodata patch merged for conda-forge to prevent the issue from spreading, https://github.com/conda-forge/conda-forge-repodata-patches-feedstock/pull/271 |
| 2022-05-28 | 03:10 | Repodata patch for defaults merged to prevent the issue from spreading, https://github.com/conda-forge/conda-forge-repodata-patches-feedstock/pull/271 |
...
| 2022-05-30 | 16:12 | First patch for conda-smithy to switch conda-forge feedstock to strict channel priority opened, replaced by second patch, https://github.com/conda-forge/conda-smithy/pull/1630 |
| 2022-05-30 | 19:12 | Second PR opened for conda-smithy to switch conda-forge feedstock to strict channel priority, https://github.com/conda-forge/conda-smithy/pull/1631 |
| 2022-05-30 | 19:30 | Second PR merged for conda-smithy to switch conda-forge feedstock to strict channel priority,, https://github.com/conda-forge/conda-smithy/pull/1631 |
| 2022-05-31 | 10:09 | conda-build 3.21.9 tagged on GitHub, https://github.com/conda/conda-build/releases/tag/3.21.9 |
| 2022-05-31 | 11:31 | conda-build 3.21.9 defaults feedstock PR opened, https://github.com/AnacondaRecipes/conda-build-feedstock/pull/15 |
| 2022-05-31 | 15:36 | conda-build 3.21.9 defaults feedstock PR merged, https://github.com/AnacondaRecipes/conda-build-feedstock/pull/15 |
| 2022-05-31 | 11:48 | conda-build 3.21.9 conda-forge feedstock PR opened, https://github.com/conda-forge/conda-build-feedstock/pull/177 |
| 2022-05-31 | 13:22 | conda-build 3.21.9 conda-forge feedstock PR merged, https://github.com/conda-forge/conda-build-feedstock/pull/177 |
Google Drive
Gist
Clipboard
Sign in with Wallet
