Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: Update build dependencies to use a hash/digest #429

Closed
azeemshaikh38 opened this issue May 10, 2021 · 5 comments · Fixed by #460
Closed

BUG: Update build dependencies to use a hash/digest #429

azeemshaikh38 opened this issue May 10, 2021 · 5 comments · Fixed by #460
Labels
kind/bug Something isn't working priority/must-do Upcoming release

Comments

@azeemshaikh38
Copy link
Contributor

Describe the bug
Makefile (and possibly other places like Dockerfiles) depend on floating dependencies, which install or pull on every build before running. This is (a) flaky since every execution is potentially different (b) inconsistent with what runs on remote (vs. local) (d) a possible security risk (e) an annoyance since the dependencies get installed on every run of make all.

Expected behavior
Maintain a dependency list (which gets checked-in), specifying the dependency and a corresponding hash/digest to be used. Update the make command to have make install which installs all of these frozen dependencies.

A nice-to-have but optional feature would be to make dependabot update these hashes/digest automatically.
@azeemshaikh38 azeemshaikh38 added the kind/bug Something isn't working label May 10, 2021
@azeemshaikh38
Copy link
Contributor Author

@dlorenc created an issue based on our discussion. Let me know if this makes sense.

@naveensrinivasan
Copy link
Member

It was decided not to vendor dependencies #199

@laurentsimon laurentsimon added the priority/must-do Upcoming release label May 10, 2021
@inferno-chromium
Copy link
Contributor

It was decided not to vendor dependencies #199

This is different, that #199 one was checking in deps as source, this one is more about supply chain security by pinning deps with sha/hash

@laurentsimon laurentsimon added this to the milestone-q2 milestone May 12, 2021
@azeemshaikh38 azeemshaikh38 mentioned this issue May 17, 2021
Closed
@naveensrinivasan naveensrinivasan linked a pull request May 17, 2021 that will close this issue
🌱 Move tool dependencies into go.mod #460
Merged
2 tasks
@azeemshaikh38
Copy link
Contributor Author

@inferno-chromium @naveensrinivasan am I right in assuming that #460 should fix this issue? Or do we need anything more here?

@naveensrinivasan
Copy link
Member

Yes it should fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working priority/must-do Upcoming release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🌱 Move tool dependencies into go.mod ossf/scorecard
4 participants
@naveensrinivasan @azeemshaikh38 @inferno-chromium @laurentsimon