Joseph Schorr
b5bb76cdea
Optimize repository search by changing our lookup strategy
...
Previous to this change, repositories were looked up unfiltered in six different queries, and then filtered using the permissions model, which issued a query per repository found, making search incredibly slow. Instead, we now lookup a chunk of repositories unfiltered and then filter them via a single query to the database. By layering the filtering on top of the lookup, each as queries, we can minimize the number of queries necessary, without (at the same time) using a super expensive join.
Other changes:
- Remove the 5 page pre-lookup on V1 search and simply return that there is one more page available, until there isn't. While technically not correct, it is much more efficient, and no one should be using pagination with V1 search anyway.
- Remove the lookup for repos without entries in the RAC table. Instead, we now add a new RAC entry when the repository is created for *the day before*, with count 0, so that it is immediately searchable
- Remove lookup of results with a matching namespace; these aren't very relevant anyway, and it overly complicates sorting
2017-03-09 19:47:55 -05:00
Joseph Schorr
eff1827d9d
Batch QSS notifications after initial scan
2017-03-01 15:42:49 -05:00
Jimmy Zelinskie
cbb2fff0e2
util.secscan.api: raise exception for !200 status
2017-03-01 00:40:47 -05:00
Jimmy Zelinskie
cba7816caf
util.failover: re-raise exceptions on failure
2017-03-01 00:40:47 -05:00
Joseph Schorr
157640e696
Add config validator for OIDC logins
2017-02-28 16:18:19 -05:00
Joseph Schorr
88b808f468
Fix typo
2017-02-24 12:23:18 -05:00
Joseph Schorr
d4eb4f7f3c
Pull out github trigger and login validation into validator class
2017-02-24 12:23:18 -05:00
Joseph Schorr
a31f2267e8
Pull out gitlab trigger validation into validator class
2017-02-24 12:23:18 -05:00
Joseph Schorr
7a260d81d3
Pull out bitbucket trigger validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
49638b081b
Pull out google login validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
620e377faf
Pull out ssl validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
e76b95f0e6
Add S3 storage test to validator tests
2017-02-24 12:23:17 -05:00
Joseph Schorr
09b3cfd549
Pull out torrent validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
2944a4e13d
Pull out signing validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
8844ecbb7c
Fix imports
2017-02-24 12:23:16 -05:00
Joseph Schorr
dcabb36ac7
Add TODO
2017-02-24 12:23:16 -05:00
Joseph Schorr
3db4c15459
Pull out security scanner validation into validator class
2017-02-24 12:23:16 -05:00
Joseph Schorr
c0f7530b29
Pull out JWT auth validation into validator class
...
Also fixes a small bug in validation (yay tests!)
2017-02-24 12:23:16 -05:00
Joseph Schorr
678f868bc4
Pull out keystone validation into validator class
2017-02-24 12:23:15 -05:00
Joseph Schorr
c55ddf7341
Pull out ldap validation into validator class
2017-02-24 12:23:15 -05:00
Joseph Schorr
2d64cf3000
Rename config validation source files
2017-02-24 12:23:15 -05:00
Joseph Schorr
00eceb7ed5
Pull out email validation into validator class
2017-02-24 12:23:15 -05:00
Joseph Schorr
ee4f5ed5d6
Move registry storage validator to new location
2017-02-24 12:23:15 -05:00
Joseph Schorr
b2afe68632
Pull out redis validation into validator class
2017-02-24 12:23:15 -05:00
Joseph Schorr
f933b3e295
Pull out database validation into validator class
2017-02-24 12:23:14 -05:00
Joseph Schorr
484977f728
Refactor security scanner validation from single sleep to polling
2017-02-24 12:23:14 -05:00
Jimmy Zelinskie
c8034deab4
util.secscan.api: failover connection failures
2017-02-23 15:01:32 -05:00
Joseph Schorr
67c0bf6263
Fix docker versioning library to support new versioning scheme
...
Fixes: https://sentry.io/coreos/backend-production/issues/222349174/
Reference: https://github.com/docker/docker/pull/31075
2017-02-22 16:08:17 -05:00
Joseph Schorr
94be8731f3
Change Docker Version tests to pytest
2017-02-22 15:45:06 -05:00
josephschorr
f7a7d30ec2
Merge pull request #2366 from coreos-inc/alert-spam-fixes
...
Small fixes for alert spam
2017-02-22 14:18:18 -05:00
Joseph Schorr
7cc7e54945
Remove unicode before sending it to path parser
...
Fixes https://sentry.io/coreos/backend-production/issues/175929456/
2017-02-22 13:21:12 -05:00
Jake Moshenko
b03e03c389
Read the number of unscanned clair images from the block allocator
2017-02-21 19:13:51 -05:00
josephschorr
8f01cb959a
Merge pull request #2354 from coreos-inc/license-sorting
...
Change entitlement sorting to sort *valid* entitlements by reverse expiration time
2017-02-15 16:24:51 -05:00
Joseph Schorr
d506279892
Change entitlement sorting to sort *valid* entitlements by reverse expiration time
...
With this change, if all entitlements are valid, we sort to show the entitlement that will expire the farthest in the future, as that defines the point at which the user must act before the license becomes invalid.
2017-02-15 14:31:24 -05:00
Charlton Austin
3fd8c8a60d
feature(app.py): adding queue_metrics to queues
...
publishing queue metrics for SRE
[none]
2017-02-14 16:01:28 -05:00
Jimmy Zelinskie
1d6339e644
test.test_api_usage: fix secscan tests
2017-02-14 15:21:18 -05:00
Jimmy Zelinskie
3286566478
util.secscan.api: reorg try/catch
2017-02-14 15:21:17 -05:00
Jimmy Zelinskie
d2909c0e4d
failover: store result in FailoverException
2017-02-14 14:36:36 -05:00
Jimmy Zelinskie
c2c6bc1e90
test: add qss read failover case
2017-02-03 19:20:13 -05:00
Jimmy Zelinskie
1d59095460
utils.secscan: linter fixes
2017-02-03 19:20:13 -05:00
Jimmy Zelinskie
e81926fcba
util.secscan.api: init read-only failover
2017-02-03 19:20:13 -05:00
Jimmy Zelinskie
b4efa7e45b
util.failover: init
2017-02-03 19:20:13 -05:00
Joseph Schorr
c9bb132339
Increase cloudwatch send timeout to reduce how often we hit the API
2017-02-01 13:09:00 -05:00
Joseph Schorr
b407f88a26
Remove unnecessary CloudWatch metrics
...
They are spamming the API and costing us a lot of money
2017-02-01 13:08:21 -05:00
josephschorr
01ec22b362
Merge pull request #2300 from coreos-inc/openid-connect
...
OpenID Connect support and OAuth login refactoring
2017-01-31 18:14:44 -05:00
Jimmy Zelinskie
7a957c94c8
image/appc: fix volume conversion and add tests
2017-01-31 15:37:16 -05:00
Joseph Schorr
f5dbc350f8
Fix missed tests and revert conftest change (breaks docker build)
2017-01-30 17:28:25 -05:00
Joseph Schorr
d63cca025a
DNS name check got reversed; breaks wildcards
2017-01-29 11:51:37 -05:00
Joseph Schorr
d9003d1375
Make sure the parent dir of a file path exists before writing the file
...
Fixes when the `extra_ca_certs` directory doesn't exist when using the new custom certs tool
2017-01-26 15:15:40 -05:00
Joseph Schorr
7c1bb886db
Security scanner ordered tuplize bug fix
...
If only the old list is present, we still need to tuplize the entries.
Fixes https://sentry.io/coreos/backend-production/issues/207196561/
2017-01-24 13:16:44 -05:00
Joseph Schorr
19f7acf575
Lay foundation for truly dynamic external logins
...
Moves all the external login services into a set of classes that share as much code as possible. These services are then registered on both the client and server, allowing us in the followup change to dynamically register new handlers
2017-01-20 15:21:08 -05:00
Joseph Schorr
4755d08677
Refactor and rename the standard OAuth services
2017-01-19 15:23:15 -05:00
Joseph Schorr
bee2551dc2
Temporarily remove Dex login support
...
This will be added back in later in this PR as part of proper generic OIDC support
2017-01-19 14:51:12 -05:00
Joseph Schorr
7c7a07fb5a
Allow namespaces to be between 2 and 255 characters in length
...
[Delivers #137924329 ]
2017-01-19 13:10:26 -05:00
Joseph Schorr
462f47924e
More detailed namespace validation
...
Fixes namespace validation to use the proper regex for checking length, as well as showing the proper messaging if the entered namespace is invalid
[Delivers #137830461 ]
2017-01-17 17:31:59 -05:00
josephschorr
aafcb592a6
Merge pull request #2257 from coreos-inc/clair-gc-take2
...
feat(gc): Garbage collection for security scanning
2017-01-17 14:49:36 -05:00
josephschorr
eb2cafacd4
Merge pull request #2249 from coreos-inc/notifier-fixes
...
Security notification pagination fix
2017-01-17 11:33:25 -05:00
josephschorr
ac8cddc5a9
Merge pull request #2274 from coreos-inc/custom-cert-management
...
Custom SSL certificates config panel
2017-01-13 16:24:47 -05:00
josephschorr
6539fa3b20
Merge pull request #2259 from coreos-inc/delete-abuse-tool
...
Add tool for handling abusing users
2017-01-13 16:22:15 -05:00
Joseph Schorr
1cbacbbb63
Add tool for handling abusing users
2017-01-13 14:42:03 -05:00
Joseph Schorr
7e0fbeb625
Custom SSL certificates config panel
...
Adds a new panel to the superuser config tool, for managing custom SSL certificates in the config bundle
[Delivers #135586525 ]
2017-01-13 14:34:35 -05:00
Joseph Schorr
3a24871422
Add SSL certificate utility and tests
2017-01-10 17:06:13 -05:00
Joseph Schorr
f1c9965edf
Add more volume file operations and cleanup k8s provider code
2017-01-10 17:06:13 -05:00
Joseph Schorr
29d6abddb5
Linter fixes
2017-01-10 17:06:13 -05:00
EvB
a7122db250
fix(cloudwatch): randomize sleep interval
2017-01-05 11:41:12 -05:00
Jake Moshenko
6c84b9330b
Merge pull request #2251 from jakedt/fixaci
...
Fix port mapping for ACI conversion from newer Docker manifests.
2016-12-27 14:13:03 -05:00
Joseph Schorr
d609e6a1c4
Security scanner garbage collection support
...
Adds support for calling GC in the security scanner for any layers+storage removed by GC on the Quay side
2016-12-22 14:55:26 -05:00
Joseph Schorr
9413e25123
Change georeplication queuing to use new batch system
2016-12-21 17:44:30 -05:00
Jake Moshenko
d58a1ca35a
Fix port mapping for ACI conversion from newer Docker manifests.
2016-12-20 14:01:06 -05:00
Joseph Schorr
5b3212ea0e
Change security notification code to use the new stream diff reporters
...
This ensures that even if security scanner pagination sends Old and New layer IDs on different pages, they will properly be handled across the entire notification.
Fixes https://www.pivotaltracker.com/story/show/136133657
2016-12-20 12:50:19 -05:00
Joseph Schorr
ced0149520
Implement helper classes for tracking streaming diffs, both indexed and non-indexed
...
These classes will be used to handle the Layer ID paginated diffs from Clair.
2016-12-20 12:50:18 -05:00
Joseph Schorr
405eca074c
Security scanner flow changes and auto-retry
...
Changes the security scanner code to raise exceptions now for non-successful operations. One of the new exceptions raised is MissingParentLayerException, which, when raised, will cause the security worker to perform a full rescan of all parent images for the current layer, before trying once more to scan the current layer. This should allow the system to be "self-healing" in the case where the security scanner engine somehow loses or corrupts a parent layer.
2016-12-16 15:38:09 -05:00
josephschorr
9fa16679f8
Merge pull request #2238 from coreos-inc/fake-clair
...
Add a fake security scanner class for easier testing
2016-12-15 20:51:24 -05:00
Brad Ison
2730c26b2e
Merge pull request #2237 from coreos-inc/metrics-labels
...
Don't record size in chunk upload metrics
2016-12-15 14:20:34 -05:00
Brad Ison
df7366eace
Add chunk size metric
2016-12-15 13:20:16 -05:00
Joseph Schorr
15041ac5ed
Add a fake security scanner class for easier testing
...
The FakeSecurityScanner mocks out all calls that Quay is expected to make to the security scanner API, and returns faked data that can be adjusted by the calling test case
2016-12-14 17:11:45 -05:00
Brad Ison
8f59ac1251
Don't record size in chunk upload metrics
2016-12-14 12:16:02 -05:00
Joseph Schorr
6871eb95b1
Send notifications for previously unscannable layers in QSS
...
Following this change, if an image was previously indexed unsuccessfully, then we will send notifications once successfully indexed
2016-12-14 11:25:45 -05:00
Joseph Schorr
624b2a8385
Have security scanner analyze only send notifications for *new* layers
...
Following this change, anytime a layer is indexed by the security scanner, we only send notifications out if the layer previously had a security_indexed_engine value of `-1`, thus ensuring it has *never* been indexed previously. This will allow us to change to version of the security scanner upwards, and have all the images be re-indexed, without firing off notifications in a spammy manner.
2016-12-13 23:17:11 -05:00
Evan Cordell
5686c80af1
Revert "Add GC of layers in Clair"
...
This reverts 49872838ab
2016-12-13 18:40:58 -05:00
Evan Cordell
dd5f7cbe6c
Fix the ephemeral build metrics
2016-12-13 18:28:04 -05:00
Joseph Schorr
1e5b97318a
Fix loading of public keys for OIDC under Linux
...
Python's crypto lib under Linux has issues with loading PEM-encoded keys, so we just load it as a DER here and give PyJWT the key *instance* to use directly.
2016-12-09 14:26:56 -05:00
Joseph Schorr
dbdcb802b1
Add end-to-end OAuth login and attach tests
2016-12-08 18:35:42 -05:00
Joseph Schorr
49872838ab
Add GC of layers in Clair
...
Fixes https://www.pivotaltracker.com/story/show/135583207
2016-12-06 19:52:56 -05:00
Jake Moshenko
21e3001446
Add a bulk insert for queue and notifications.
...
Use it for Clair spawned notifications.
2016-12-06 14:00:16 -05:00
Charlton Austin
edd9dcd7f6
Adding in some metrics around clair sec scan.
2016-12-01 16:50:02 -05:00
Joseph Schorr
236655adb4
Fix config validator for storage and add a test suite
...
Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-30 11:58:41 -05:00
Joseph Schorr
1a61ef4e04
Report the user's name and company to Marketo
...
Also fixes the API to report the other changes (username and email) as well
2016-11-14 17:34:50 -05:00
josephschorr
74e54bdbbb
Merge pull request #1872 from coreos-inc/qe-torrent
...
Add QE setup tool support for BitTorrent downloads
2016-11-11 13:56:22 -05:00
Jake Moshenko
b5834a8a66
Collapse all migrations prior to 2.0.0 into one.
2016-11-10 17:31:00 -05:00
Joseph Schorr
74c3346562
Add a warning bar when the license will become invalid in a week
2016-11-08 14:24:55 -05:00
Joseph Schorr
4b926ae189
Add new metrics as requested by some customers
...
Note that the `status` field on the pull and push metrics will eventually be set to False for failed pulls and pushes in a followup PR
2016-11-03 15:28:40 -04:00
Joseph Schorr
681f975df5
Add QE setup tool support for BitTorrent downloads
...
Fixes #1871
2016-11-02 17:32:12 -04:00
josephschorr
840ea4e768
Merge pull request #2047 from coreos-inc/external-auth-email-optional
...
Make email addresses optional in external auth if email feature is turned off
2016-10-31 14:16:33 -04:00
Joseph Schorr
3a473cad2a
Enable permanent sessions
...
Fixes #1955
2016-10-31 13:52:09 -04:00
Joseph Schorr
d7f56350a4
Make email addresses optional in external auth if email feature is turned off
...
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-10-31 13:50:24 -04:00
josephschorr
934cdecbd6
Merge pull request #1905 from coreos-inc/external-auth-search
...
Add support for entity search against external auth users not yet linked
2016-10-27 16:06:42 -04:00
Joseph Schorr
b3d1d7227c
Add support to Keystone Auth for external user linking
...
Also adds Keystone V3 support
2016-10-27 15:42:03 -04:00
Joseph Schorr
fbb524e34e
Add support to ExternalJWT Auth for external user linking
2016-10-27 15:42:03 -04:00
Jake Moshenko
45bacbabaa
s/Regions/Deployments
2016-10-24 16:04:04 -04:00
josephschorr
67dde6e154
Merge pull request #1852 from coreos-inc/underscore_orgs
...
Better handling of namespace validation to fix a number of issues
2016-10-20 13:36:32 -04:00
Joseph Schorr
3a68740ff7
Better handling of namespace validation to fix a number of issues
...
- Fixes a bug which allows for underscores at the beginning of namespaces: Fixes #1849
- Allows dots and dashes for newer Docker clients: Fixes #1188
- Has the UI display better messaging associated with namespace entry
2016-10-20 13:32:22 -04:00
Joseph Schorr
213cc856e4
Fix UI for real license handling
...
Following this change, the user gets detailed errors and entitlement information
2016-10-19 17:49:15 -04:00
Joseph Schorr
2eabf1a291
Fix tests and test provider for real license format
2016-10-18 23:44:08 -04:00
Jake Moshenko
9f1c12e413
Refactor our license code to be entitlement centric.
2016-10-18 22:33:28 -04:00
Jake Moshenko
d90398e9ff
Change the monthly license grace period to 11 months.
2016-10-18 18:46:40 -04:00
Joseph Schorr
67f828279d
Switch the license validator to use config_provider and have a test license
...
Fixes the broken tests currently which try (and fail) to read the license file
2016-10-18 11:44:13 -04:00
Joseph Schorr
ee96693252
Add superuser config section for updating license
2016-10-17 21:44:25 -04:00
Jimmy Zelinskie
5fee4d6d19
*: misc formatting cleanup
2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
a42eb09a3e
util.license: make bp-modification a method
2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
6eb26d7998
configproviders: pass filemode when opening volume
2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
0c5400b7d1
enforce license across registry blueprints
2016-10-17 21:43:45 -04:00
Joseph Schorr
8fe29c5b89
Add license upload step to the setup flow
...
Fixes #853
2016-10-17 21:43:15 -04:00
Joseph Schorr
5211c407ff
Add license checking to Quay
...
Based off of mjibson's changes
Fixes #499
2016-10-17 21:43:15 -04:00
josephschorr
78f87d96bc
Merge pull request #1986 from coreos-inc/external-tls
...
Add option to properly handle external TLS
2016-10-15 16:05:28 -04:00
Jake Moshenko
f04b018805
Write our users to Marketo as leads.
2016-10-14 16:29:11 -04:00
Jake Moshenko
013e27f7d5
Clean up mixpanel analytics a bit.
2016-10-13 15:03:04 -04:00
Joseph Schorr
5a8200f17a
Add option to properly handle external TLS
...
Fixes #1984
2016-10-13 14:49:29 -04:00
Joseph Schorr
6ea51afa66
Add a configurable prometheus namespace for all metrics
...
Fixes #1918
2016-10-05 10:33:35 +03:00
josephschorr
684ace3b5a
Merge pull request #1761 from coreos-inc/nginx-direct-download
...
Add feature flag to force all direct download URLs to be proxied
2016-09-29 22:46:57 +02:00
Evan Cordell
832ee89923
Add duration metric collector decorator ( #1885 )
...
Track time-to-start for builders
Track time-to-build for builders
Track ec2 builder fallbacks
Track build time
2016-09-29 15:44:06 -04:00
Joseph Schorr
6ae3faf7fc
Add explicit config parameter to the JWT auth methods
2016-09-29 11:15:20 +02:00
Joseph Schorr
dd2e086a20
Add feature flag to force all direct download URLs to be proxied
...
Fixes #1667
2016-09-29 11:13:41 +02:00
Jimmy Zelinskie
fc7301be0d
*: fix legacy imports
...
This change reorganizes imports and renames the legacy flask extensions.
2016-09-28 20:17:14 -04:00
Jimmy Zelinskie
ae16d24fd1
license: validate via key instance rather than PEM
2016-09-28 15:44:28 -04:00
josephschorr
e1771abe58
Merge pull request #739 from coreos-inc/license
...
Add license checking to Quay
2016-09-27 16:52:08 +02:00
Joseph Schorr
476576bb70
Add license checking to Quay
...
Based off of mjibson's changes
Fixes #499
2016-09-27 10:31:34 +02:00
Joseph Schorr
3c8b87e086
Fix verbs in manifestlist
...
All registry_tests now pass
2016-09-26 14:49:58 -04:00
Jimmy Zelinskie
59529569dc
reorder imports
2016-09-26 14:48:05 -04:00
josephschorr
ad4efba802
Merge pull request #1830 from coreos-inc/superuser-dashboard
...
Add prometheus stats to enable better dashboarding
2016-09-26 17:19:22 +02:00
Joseph Schorr
25ed99f9ef
Add feature flag to turn off requirement for team invitations
...
Fixes #1804
2016-09-20 16:45:00 -04:00
Joseph Schorr
c7beea2032
Fix handling of custom LDAP cert
...
This change moves the LDAP cert installation into a common script and reorganizes the startup scripts for creating and installing these certs
Fixes #1846
2016-09-19 17:55:08 -04:00
Joseph Schorr
1571b2867a
Add executor name to the build metric
2016-09-16 16:26:04 -04:00
Joseph Schorr
30af8aef1a
Add a worker for reporting global stats to Prometheus
...
Fixes #1789
2016-09-12 16:19:19 -04:00
Joseph Schorr
818ea38dac
Add repo-specific reporting of repository builds
2016-09-09 15:36:54 -04:00
Joseph Schorr
c8a1b8abab
Add prom stats for repository push, pull and verb actions
2016-09-09 15:13:58 -04:00
Jake Moshenko
1d8b72235a
Add a helper method to Image to parse ancestor string.
2016-09-07 10:48:58 -04:00
josephschorr
480d890442
Merge pull request #1771 from coreos-inc/kubernetes-save-error
...
Make sure the Quay Enterprise Kubernetes namespace exists
2016-08-30 12:59:00 -04:00
Joseph Schorr
3f9c82462f
Make sure the Quay Enterprise Kubernetes namespace exists
...
Prevents config from failing to save. Also clarifies any other errors that do occur.
Fixes #1449
2016-08-30 12:58:39 -04:00
Joseph Schorr
aa7c87d765
Fix locking via RedLock
...
Fixes #1777
2016-08-29 16:06:26 -04:00
Joseph Schorr
608ffd9663
Basic labels support
...
Adds basic labels support to the registry code (V2), and the API. Note that this does not yet add any UI related support.
2016-08-26 15:24:26 -04:00
Joseph Schorr
193040a473
Fix tag links
...
Fixes #1741
2016-08-17 15:06:10 -04:00
Joseph Schorr
afc2705b1c
Have email read the enterprise logo
2016-08-09 12:18:35 -04:00
Ben Spoon
b0e34692cf
Merge pull request #1674 from coreos-inc/new-quay-emails
...
New quay emails
2016-08-09 09:12:54 -07:00
Ben Spoon
2b92fded68
emails: address review feedback
2016-08-08 13:29:47 -07:00
Ben Spoon
004b834c72
emails: only show quay footer if coming from hosted
2016-08-04 11:55:55 -07:00
Ben Spoon
46a720285a
emails: update payment failure admin link
...
addresses issue #1623
2016-08-04 11:55:50 -07:00
Ben Spoon
5019ef0b6b
emails: change the app_link_handler to return just a uri
...
There is no need for an anchor tag any longer.
2016-08-04 11:55:48 -07:00
Joseph Schorr
770ac0016e
Change validate method to work for all storages
2016-08-02 15:01:37 -04:00
Joseph Schorr
0fe3e6510a
Prevent invalid tags on builds
...
Fixes #1632
2016-07-25 17:50:35 -07:00