I have a PR pending now that will pull js libraries from the public npm
repo. The versions are locked. I'll also include a readme file to let
you know what to do if you need to add or update a js library.
If I don't hear any objection, we won't worry about strict
reproducibility for community releases. We can enhance this later if we
choose.
On 7/20/2017 8:57 AM, Stan Silvert wrote:
So to be more clear, a reproducible build means that once we release
a
version of Keycloak we can rebuild and reproduce the exact bits at any time.
To do this perfectly, we must pull in the exact versions of every js
library we ship.
So the question is, for community builds, should we maintain our own
archived version of these libraries or can we pull from the public npm repo?
In the public npm repo, library publishers are allowed to modify their
bits for 24 hours after publishing. They may also republish at a later
time via special request, though this is highly discouraged.
So if we don't archive js libraries with each release it is possible,
though unlikely, that we could end up with a non-reproducible build.
That's why I ask how much we really care about reproducibility in community.
On 7/19/2017 6:10 PM, Pedro Igor Silva wrote:
> Not sure if we need to worry about our own npm repo but just grab the
> versions we need from npm during the first install/build. Or are you
> more worried about introducing vulnerabilities in case (somehow, by
> passing checksum, i don't know) the version we use is modified ?
>
> Regards.
> Pedro Igor
>
> On Wed, Jul 19, 2017 at 3:26 PM, Stan Silvert <ssilvert(a)redhat.com
> <mailto:ssilvert@redhat.com>> wrote:
>
> I'm asking this question about the community version of Keycloak.
> RH-SSO
> absolutely must be reproducible.
>
> The reason I ask is because we will soon stop checking
> node_modules into
> github. javascript libraries will be pulled in at build time.
>
> We will lock down the library versions with yarn, which means
> everything
> is theoretically reproducible as long as the public npm repo is
> stable.
>
> But if we want to be extra-sure, we can set up our own npm repo and
> archive it with each community release.
>
> WDYT? How much do we care about reproducible builds in community?
>
> Stan
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <
https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev