-
-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
switch freetype to clone source from GitHub #3188
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of points:
- This is potentially leaving us slightly more open to risk because while we are recording the SHA we're not using that for the clone so there is a possibility of undetected corruption of the branch in the upstream repository causing problems (unless the SBOMs are checked for changes), which is not a risk with the fixed SHA which we verify from our download server.
- If the version in github is the same as the one we're currently downloading, where has the extra macos dependency come from? That would suggest they're not the same.
I was thinking about this, one option I'd considered was passing the git ref rather than the tag name, that way it cannot be corrupted, what do you think?
It appears that the one we currently host has had autogen already run on it so we can skip straight to running configure/make. The GitHub source doesn't have this hence the change and added dependency. |
Yeah it's the only real way of protecting against an unexpected upstream change I think - or we could extract as you currently are and then just check that the list commit matches an "expected" SHA (Similar to what we were doing with the download) which could flag it if the upstream had done something silly. I think I'd prefer one of those two options. I'd lean a little more towards the second but ok with either.
Interesting - ok that explains it. Hopefully that's the only difference and we won't end up with any functional differences as a result of us generating ourselves. |
Okay I'll look at setting that up
I've done a diff and that's the only change between ours and theirs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the change. I'm ok with this now but it would be good to have an explicit 'ok from @andrew-m-leonard too on this if he's around today.
Thanks @sxa, can you also approve adoptium/infrastructure#2860 as it's a prerequisite? |
Now that the FreeType source is available in GitHub we should switch to cloning the FreeType source from there rather than relying on our mirror on the Jenkins server. Not only does this mean we don't have to update the mirror each time we bump the version, but it also means that we can use an immutable SHA in the SBOM.
Checking with @andrew-m-leonard that I've set the details in the SBOM correctly. Ultimately I've switched to us storing
https://github.com/freetype/freetype/commit/${FREETYPE_SHA}
(matching the way we store other Git refs in the SBOM.Note that compiling the FreeType source from GitHub adds a dependency on
automake
for the macOS builds. This doesn't seem to be present on our current build machines so will need adding (I can submit a PR to the infra repo)