[keycloak-dev] Do we care about reproducible builds?

Stan Silvert ssilvert at redhat.com
Thu Jul 20 13:41:14 EDT 2017 

I have a PR pending now that will pull js libraries from the public npm 
repo.   The versions are locked. I'll also include a readme file to let 
you know what to do if you need to add or update a js library.

If I don't hear any objection, we won't worry about strict 
reproducibility for community releases.  We can enhance this later if we 
choose.

On 7/20/2017 8:57 AM, Stan Silvert wrote:
> So to be more clear, a reproducible build means that once we release a
> version of Keycloak we can rebuild and reproduce the exact bits at any time.
>
> To do this perfectly, we must pull in the exact versions of every js
> library we ship.
>
> So the question is, for community builds, should we maintain our own
> archived version of these libraries or can we pull from the public npm repo?
>
> In the public npm repo, library publishers are allowed to modify their
> bits for 24 hours after publishing.  They may also republish at a later
> time via special request, though this is highly discouraged.
>
> So if we don't archive js libraries with each release it is possible,
> though unlikely, that we could end up with a non-reproducible build.
>
> That's why I ask how much we really care about reproducibility in community.
>
> On 7/19/2017 6:10 PM, Pedro Igor Silva wrote:
>> Not sure if we need to worry about our own npm repo but just grab the
>> versions we need from npm during the first install/build. Or are you
>> more worried about introducing vulnerabilities in case (somehow, by
>> passing checksum, i don't know) the version we use is modified ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Wed, Jul 19, 2017 at 3:26 PM, Stan Silvert <ssilvert at redhat.com
>> <mailto:ssilvert at redhat.com>> wrote:
>>
>>      I'm asking this question about the community version of Keycloak.
>>      RH-SSO
>>      absolutely must be reproducible.
>>
>>      The reason I ask is because we will soon stop checking
>>      node_modules into
>>      github.  javascript libraries will be pulled in at build time.
>>
>>      We will lock down the library versions with yarn, which means
>>      everything
>>      is theoretically reproducible as long as the public npm repo is
>>      stable.
>>
>>      But if we want to be extra-sure, we can set up our own npm repo and
>>      archive it with each community release.
>>
>>      WDYT?  How much do we care about reproducible builds in community?
>>
>>      Stan
>>      _______________________________________________
>>      keycloak-dev mailing list
>>      keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>      https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>      <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list