Tweak solver's same-origin heuristic#2208
Merged
xnox merged 1 commit intochainguard-dev:mainfrom May 5, 2026
Merged
Conversation
Previously, we'd always prefer providers of constraints that come from the same origin as a package we'd already selected. This made it very difficult to move a package to a different origin, as the heuristic would select the older version of an APK that matched the same origin. This change tracks not just origins we've already selected, but the version of that origin, so we don't end up stuck on an older version. Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
Member
|
One interesting test case for this is "pinning down one package, and expect the rest to match" which is an often expected behaviour. Currently given this apko.yaml: contents:
repositories:
- https://apk.cgr.dev/chainguard
packages:
- openssh=10.2_p1-r0
archs:
- amd64This results in openssh metapackage to be pinned down, yet all other client/server packages are actually still resolved to latest 10.3 version With this PR however, they all correctly transitively pin-down to the same origin version, as actually expected by customers |
Member
|
Full image lock looks good, there are a couple package version downgrades, which are expected based on this change and are more accurate and correct resolution. There is one resolution failure, which is absolutely correct as a subpackage was removed and yet the lock is trying to use mismatched packages. |
xnox
approved these changes
May 5, 2026
Member
|
Interesting lock changes: diff --git a/images/google-cloud-sdk-iamguarded/package_lock.cue b/images/google-cloud-sdk-iamguarded/package_lock.cue
index fb6aea05f5d..bb28e77540c 100644
--- a/images/google-cloud-sdk-iamguarded/package_lock.cue
+++ b/images/google-cloud-sdk-iamguarded/package_lock.cue
@@ -38,7 +38,7 @@ pkgLocks: {
"py3-pip-wheel=26.0.1-r2",
"py3-setuptools-wheel=82.0.1-r0",
"py3.11-crcmod=1.7-r11",
- "py3.11-google-cloud-sdk=543.0.0-r0",
+ "py3.11-google-cloud-sdk=565.0.0-r0",
"py3.13-crcmod=1.7-r11",
"py3.13-google-cloud-sdk=565.0.0-r0",
"python-3.11-base=3.11.15-r2",
@@ -100,7 +100,7 @@ pkgLocks: {
"py3-pip-wheel=26.0.1-r2",
"py3-setuptools-wheel=82.0.1-r0",
"py3.11-crcmod=1.7-r11",
- "py3.11-google-cloud-sdk=543.0.0-r0",
+ "py3.11-google-cloud-sdk=565.0.0-r0",
"py3.13-crcmod=1.7-r11",
"py3.13-google-cloud-sdk=565.0.0-r0",
"python-3.11-base=3.11.15-r2",
@@ -148,7 +148,7 @@ pkgLocks: {
"py3-pip-wheel=26.0.1-r2",
"py3-setuptools-wheel=82.0.1-r0",
"py3.11-crcmod=1.7-r11",
- "py3.11-google-cloud-sdk=543.0.0-r0",
+ "py3.11-google-cloud-sdk=565.0.0-r0",
"py3.13-crcmod=1.7-r11",
"py3.13-google-cloud-sdk=565.0.0-r0",
"python-3.11-base=3.11.15-r2",
diff --git a/images/kubernetes-reflector/package_lock.cue b/images/kubernetes-reflector/package_lock.cue
index 25c8fd3e8c6..cbfc1a855a0 100644
--- a/images/kubernetes-reflector/package_lock.cue
+++ b/images/kubernetes-reflector/package_lock.cue
@@ -17,8 +17,7 @@ pkgLocks: {
"glibc=2.43-r7",
"icu-data-full=75.1-r42",
"icu-libs=75.1-r42",
- "icu78-data-full=78.3-r1",
- "icu=78.3-r1",
+ "icu=75.1-r42",
"kubernetes-reflector-compat=10.0.40-r0",
"kubernetes-reflector=10.0.40-r0",
"ld-linux=2.43-r7",
@@ -27,7 +26,6 @@ pkgLocks: {
"libcrypto3=3.6.2-r3",
"libexpat1=2.8.0-r0",
"libgcc=15.2.0-r11",
- "libicu78=78.3-r1",
"libssl3=3.6.2-r3",
"libstdc++=15.2.0-r11",
"libunwind=1.8.3-r4",
@@ -54,8 +52,7 @@ pkgLocks: {
"heimdal-libs=7.8.0-r48",
"icu-data-full=75.1-r42",
"icu-libs=75.1-r42",
- "icu78-data-full=78.3-r1",
- "icu=78.3-r1",
+ "icu=75.1-r42",
"keyutils-libs=1.6.3-r38",
"krb5-conf=1.0-r9",
"krb5-libs=1.22.2-r2", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, we'd always prefer providers of constraints that come from the same origin as a package we'd already selected. This made it very difficult to move a package to a different origin, as the heuristic would select the older version of an APK that matched the same origin.
This change tracks not just origins we've already selected, but the version of that origin, so we don't end up stuck on an older version.