[keycloak-dev] Do we care about reproducible builds?

Stan Silvert ssilvert at redhat.com
Thu Jul 20 08:57:58 EDT 2017 

So to be more clear, a reproducible build means that once we release a 
version of Keycloak we can rebuild and reproduce the exact bits at any time.

To do this perfectly, we must pull in the exact versions of every js 
library we ship.

So the question is, for community builds, should we maintain our own 
archived version of these libraries or can we pull from the public npm repo?

In the public npm repo, library publishers are allowed to modify their 
bits for 24 hours after publishing.  They may also republish at a later 
time via special request, though this is highly discouraged.

So if we don't archive js libraries with each release it is possible, 
though unlikely, that we could end up with a non-reproducible build.

That's why I ask how much we really care about reproducibility in community.

On 7/19/2017 6:10 PM, Pedro Igor Silva wrote:
> Not sure if we need to worry about our own npm repo but just grab the 
> versions we need from npm during the first install/build. Or are you 
> more worried about introducing vulnerabilities in case (somehow, by 
> passing checksum, i don't know) the version we use is modified ?
>
> Regards.
> Pedro Igor
>
> On Wed, Jul 19, 2017 at 3:26 PM, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>     I'm asking this question about the community version of Keycloak.
>     RH-SSO
>     absolutely must be reproducible.
>
>     The reason I ask is because we will soon stop checking
>     node_modules into
>     github.  javascript libraries will be pulled in at build time.
>
>     We will lock down the library versions with yarn, which means
>     everything
>     is theoretically reproducible as long as the public npm repo is
>     stable.
>
>     But if we want to be extra-sure, we can set up our own npm repo and
>     archive it with each community release.
>
>     WDYT?  How much do we care about reproducible builds in community?
>
>     Stan
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>

More information about the keycloak-dev mailing list