[keycloak-dev] Do we care about reproducible builds?

Bruno Oliveira bruno at abstractj.org
Wed Jul 19 17:40:18 EDT 2017

Thinking about this scenario and the fact that you're going to lock down
the library versions.
I'd say go for it.

On Wed, Jul 19, 2017 at 5:03 PM Stan Silvert <ssilvert at redhat.com> wrote:

> I'm asking this question about the community version of Keycloak. RH-SSO
> absolutely must be reproducible.
> The reason I ask is because we will soon stop checking node_modules into
> github.  javascript libraries will be pulled in at build time.
> We will lock down the library versions with yarn, which means everything
> is theoretically reproducible as long as the public npm repo is stable.
> But if we want to be extra-sure, we can set up our own npm repo and
> archive it with each community release.
> WDYT?  How much do we care about reproducible builds in community?
> Stan
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list