[keycloak-dev] Do we care about reproducible builds?

Stian Thorgersen sthorger at redhat.com
Mon Aug 14 06:07:09 EDT 2017


In community let's just use public NPM as we do for Maven repos. We do not
maintain old Keycloak releases and hence don't need to guarantee that we
can reproduce old builds.

On 20 July 2017 at 19:41, Stan Silvert <ssilvert at redhat.com> wrote:

> I have a PR pending now that will pull js libraries from the public npm
> repo.   The versions are locked. I'll also include a readme file to let
> you know what to do if you need to add or update a js library.
>
> If I don't hear any objection, we won't worry about strict
> reproducibility for community releases.  We can enhance this later if we
> choose.
>
> On 7/20/2017 8:57 AM, Stan Silvert wrote:
> > So to be more clear, a reproducible build means that once we release a
> > version of Keycloak we can rebuild and reproduce the exact bits at any
> time.
> >
> > To do this perfectly, we must pull in the exact versions of every js
> > library we ship.
> >
> > So the question is, for community builds, should we maintain our own
> > archived version of these libraries or can we pull from the public npm
> repo?
> >
> > In the public npm repo, library publishers are allowed to modify their
> > bits for 24 hours after publishing.  They may also republish at a later
> > time via special request, though this is highly discouraged.
> >
> > So if we don't archive js libraries with each release it is possible,
> > though unlikely, that we could end up with a non-reproducible build.
> >
> > That's why I ask how much we really care about reproducibility in
> community.
> >
> > On 7/19/2017 6:10 PM, Pedro Igor Silva wrote:
> >> Not sure if we need to worry about our own npm repo but just grab the
> >> versions we need from npm during the first install/build. Or are you
> >> more worried about introducing vulnerabilities in case (somehow, by
> >> passing checksum, i don't know) the version we use is modified ?
> >>
> >> Regards.
> >> Pedro Igor
> >>
> >> On Wed, Jul 19, 2017 at 3:26 PM, Stan Silvert <ssilvert at redhat.com
> >> <mailto:ssilvert at redhat.com>> wrote:
> >>
> >>      I'm asking this question about the community version of Keycloak.
> >>      RH-SSO
> >>      absolutely must be reproducible.
> >>
> >>      The reason I ask is because we will soon stop checking
> >>      node_modules into
> >>      github.  javascript libraries will be pulled in at build time.
> >>
> >>      We will lock down the library versions with yarn, which means
> >>      everything
> >>      is theoretically reproducible as long as the public npm repo is
> >>      stable.
> >>
> >>      But if we want to be extra-sure, we can set up our own npm repo and
> >>      archive it with each community release.
> >>
> >>      WDYT?  How much do we care about reproducible builds in community?
> >>
> >>      Stan
> >>      _______________________________________________
> >>      keycloak-dev mailing list
> >>      keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >>      https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>      <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >>
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list