-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposed approach for build steps in deps which are not in make node #1236
Comments
From discussion in last session related to auditing build deps with @marco-ippolito, and earlier discussion with @richardlau as well. |
@nodejs/security-wg, this has been on the agenda a few times, we assume there are no concerns/objections if we don't hear by next week and move to the next step of PR's the the basic principles into Node.js doc to get broader feedback. |
Looks like we should be able to use ghcr.io to store container images. https://github.com/features/packages, https://docs.github.com/en/packages/learn-github-packages/introduction-to-github-packages |
This repo shows some experimentation on createing a repo to generate wasm builder images and storing them in ghcr.io https://github.com/mhdawson/node-wasm-build/ There is a GitHub action to build and publish. Together with the Dockerfile it tries to capture/keep all key data about what went into the build. |
Next step will be to look at using the image created to build undici, llhttp instead of building the docker container on the fly as part of the builds for undici, lltttp |
I agree with the approach, we would need to add to the source code on node a folder with the dockerfile (I assume its going to be one that covers all the dependencies but there could be more) and use it in the github action where we do the dependency update |
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off. |
Sorry for not getting to this sooner. Still plan to work on it. |
Spent some time on this over the last few days. Newer repo that builds/releases container - https://github.com/mhdawson/wasm-builder
Fork/Branch of undici which uses the container to build, should work on arm based macs with docker, but I don't have one to try. Next I want to look at how the wasm is built for the module lexer to see how/if the same container can be used |
Ok, I have now built the three dependencies that directly use wasm and a branch with the changes that were need for each of them. The approach is based on what was being used in undici as it was the most consistent/reproduciable to start in my opinion. The changes for each of them:
For undici and cjs-module-lexar the WASM built seems to be the same as before. The common container is built/published by - https://github.com/mhdawson/wasm-builder which we would move under the Node.js organization if we move forward with this approach. The advantages include:
Possible disadvantage
One thing to note is that the approach (inherited from what undici was doing) relies on the system packages in alpine for most of the components. The advantage is that you should get a set of tools that work together and they are easy to install. The disadvantage is that you cannot necessarily get the very latest version of a component only the versions which were built for the version of alpine on which the base container is installed. |
PRs to make undici and amaro to use the common container have landed, next is to work on CJS lexer |
Refs: nodejs/security-wg#1236 Update to build in docker using wasm-builder image maintained in https://github.com/nodejs/wasm-builder. As a side effect this also updates the versions of the wasm tools to a newer version. undici and amaro have already been moved over and I plan to document in Node.js docs that this is the projects standard way to build WASM blobs. Signed-off-by: Michael Dawson <[email protected]>
Refs: nodejs/security-wg#1236 Signed-off-by: Michael Dawson <[email protected]>
PR to update cjs-module-lexer - nodejs/cjs-module-lexer#105 PR to document approach - nodejs/node#55940 |
Refs: nodejs/security-wg#1236 Update to build in docker using wasm-builder image maintained in https://github.com/nodejs/wasm-builder. As a side effect this also updates the versions of the wasm tools to a newer version. undici and amaro have already been moved over and I plan to document in Node.js docs that this is the projects standard way to build WASM blobs. Signed-off-by: Michael Dawson <[email protected]>
Refs: nodejs/security-wg#1236 Update to build in docker using wasm-builder image maintained in https://github.com/nodejs/wasm-builder. As a side effect this also updates the versions of the wasm tools to a newer version. undici and amaro have already been moved over and I plan to document in Node.js docs that this is the projects standard way to build WASM blobs. Signed-off-by: Michael Dawson <[email protected]>
Refs: nodejs/security-wg#1236 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #55940 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Refs: nodejs/security-wg#1236 Signed-off-by: Michael Dawson <[email protected]> PR-URL: nodejs#55940 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Refs: nodejs/security-wg#1236 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #55940 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Refs: nodejs/security-wg#1236 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #55940 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Refs: nodejs/security-wg#1236 Signed-off-by: Michael Dawson <[email protected]> PR-URL: #55940 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Basic principles
Pulling specific versions of tools to to build dependencies from npm is ok
npm guarantees immutability, and guarantees to give you the same thing for a given version
Code that gets pulled into Node.js deps
Ideally source code is built/transformed in Node.js build (make node)
Should be able to build from
canonical source
canonical source
, GitHub is not immutable, and no guarantee that is is available laterCouple of categories that are currently worrying in terms of these principles
Proposed approach for build steps/transforms that cannot done in
make node
make node
is is location/repo under the control of the Node.js projectcanonical source
in one of the above, build will be done from versioned copies under control of project.Next Steps:
The text was updated successfully, but these errors were encountered: