Re: [keycloak-dev] Do we care about reproducible builds?

Not sure if we need to worry about our own npm repo but just grab the versions we need from npm during the first install/build. Or are you more worried about introducing vulnerabilities in case (somehow, by passing checksum, i don't know) the version we use is modified ? Regards. Pedro Igor On Wed, Jul 19, 2017 at 3:26 PM, Stan Silvert <ssilvert(a)redhat.com <mailto:ssilvert@redhat.com>> wrote: I'm asking this question about the community version of Keycloak. RH-SSO absolutely must be reproducible. The reason I ask is because we will soon stop checking node_modules into github. javascript libraries will be pulled in at build time. We will lock down the library versions with yarn, which means everything is theoretically reproducible as long as the public npm repo is stable. But if we want to be extra-sure, we can set up our own npm repo and archive it with each community release. WDYT? How much do we care about reproducible builds in community? Stan _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>