[keycloak-dev] Do we care about reproducible builds?

Stan Silvert ssilvert at redhat.com
Wed Jul 19 14:26:00 EDT 2017

I'm asking this question about the community version of Keycloak. RH-SSO 
absolutely must be reproducible.

The reason I ask is because we will soon stop checking node_modules into 
github.  javascript libraries will be pulled in at build time.

We will lock down the library versions with yarn, which means everything 
is theoretically reproducible as long as the public npm repo is stable.

But if we want to be extra-sure, we can set up our own npm repo and 
archive it with each community release.

WDYT?  How much do we care about reproducible builds in community?


More information about the keycloak-dev mailing list