[keycloak-dev] Do we care about reproducible builds?

Pedro Igor Silva psilva at redhat.com
Wed Jul 19 18:10:13 EDT 2017


Not sure if we need to worry about our own npm repo but just grab the
versions we need from npm during the first install/build. Or are you more
worried about introducing vulnerabilities in case (somehow, by passing
checksum, i don't know) the version we use is modified ?

Regards.
Pedro Igor

On Wed, Jul 19, 2017 at 3:26 PM, Stan Silvert <ssilvert at redhat.com> wrote:

> I'm asking this question about the community version of Keycloak. RH-SSO
> absolutely must be reproducible.
>
> The reason I ask is because we will soon stop checking node_modules into
> github.  javascript libraries will be pulled in at build time.
>
> We will lock down the library versions with yarn, which means everything
> is theoretically reproducible as long as the public npm repo is stable.
>
> But if we want to be extra-sure, we can set up our own npm repo and
> archive it with each community release.
>
> WDYT?  How much do we care about reproducible builds in community?
>
> Stan
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list