-
-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lavamoat runtime support #52
lavamoat runtime support #52
Conversation
3a65ecf
to
df8b6d3
Compare
Currently electron-builder messes around with the package.json as well as the node_modules (for example it does not consider the dev deps node_modules to be copied to the packaged app). Due to that we have generated a policy.json only for packaged electron apps. Also it seems that lavamoat computes different paths when running within electron. Due to that we are adding a specific policy override file. Finally we had to patch lavamoat to consider leveldown as a builtin when the app is packaged only.
046f919
to
735b2c4
Compare
"globals": { | ||
"fetch": true | ||
} | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there really this many different versions of node-fetch? Should that not deduplicate on installation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well it should... I have run it.. buuut it did not remove the duplications 😅 I have not investigate it further though (yet).
}, | ||
"3box>ipfs>pull-mplex": { | ||
"packages": { | ||
"@truffle/codec>debug": true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is surprising. Why is a single package so good at escaping detection by lavamoat's static analysis?
I don't recall having this issue with debug
before
}, | ||
"3box>ipfs>libp2p-webrtc-star>socket.io-client>engine.io-client>xmlhttprequest-ssl": { | ||
"builtin": { | ||
"child_process.spawn": true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's not great. We could override it to false and see if it's being used at all.
}, | ||
"web3>xmlhttprequest": { | ||
"builtin": { | ||
"child_process.spawn": true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above - we don't like spawn
because it runs something outside lavamoat.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the one required (haven't looked into the package to understand why yet.. but all the other spawns can be set to false)
+ | ||
+ if (isPackagedApp && requestedName === 'leveldown') { | ||
+ return 'orbit-db-cache/node_modules/leveldown' | ||
+ } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll need config for this where resolution overrides can be provided to runLava
I can add that easily, the question is - do we also want that in a non-programmatic interface?
@kumavis
Overview
Add lavamoat-node runtime to desktop App.
Changes
Desktop
require(electron)
as if it was a builtin. If the app is packaged it will also supportrequire(leveldown)
as a builtin inorbit-db-cache/node_modules/leveldown
. Finally the patch also includes all changes done by @naugtur in this PR - feat: add a programmatic API to lavamoat-node LavaMoat/LavaMoat#381require
was returning an empty objectmain.ts
as an entry point for the desktop app. This file passesbackground.js
as the entry point for lavamoat and calls lavamoat programatically.Extension
No changes
Standing issues
Currently this version does not support Snaps. The reason is that snaps currently require node 16 - 18. We have tried to patch it locally, but the effort to patch was not worth it (especially as electron 21 is coming by the end of the month and already comes with node 16.17.0 - electron/electron#35675 (comment))
THIS PR SHOULD NOT BE MERGED - we will create another one with electron 21 (and node 16.17.0) and supporting Snaps (once electron 21 is out)
How to run the app
Dev mode
Packaged App