[keycloak-dev] Do we care about reproducible builds?
Pedro Igor Silva
psilva at redhat.com
Wed Jul 19 18:10:13 EDT 2017
Not sure if we need to worry about our own npm repo but just grab the
versions we need from npm during the first install/build. Or are you more
worried about introducing vulnerabilities in case (somehow, by passing
checksum, i don't know) the version we use is modified ?
On Wed, Jul 19, 2017 at 3:26 PM, Stan Silvert <ssilvert at redhat.com> wrote:
> I'm asking this question about the community version of Keycloak. RH-SSO
> absolutely must be reproducible.
> The reason I ask is because we will soon stop checking node_modules into
> We will lock down the library versions with yarn, which means everything
> is theoretically reproducible as long as the public npm repo is stable.
> But if we want to be extra-sure, we can set up our own npm repo and
> archive it with each community release.
> WDYT? How much do we care about reproducible builds in community?
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev