feat: use vendored sources #648
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
devskim found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
mmartinv
force-pushed
the
use-vendored-sources
branch
2 times, most recently
from
6c206b3
to
598d329
Compare
|
Failed to load packit config file: For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
2 similar comments
|
Failed to load packit config file: For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
|
Failed to load packit config file: For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
mmartinv
force-pushed
the
use-vendored-sources
branch
7 times, most recently
from
d33cb89
to
b9621db
Compare
.packit.yaml
Outdated
| - fedora-latest | ||
| - fedora-latest-aarch64 | ||
| - job: copr_build | ||
| - centos-stream-9-x86_64 |
There was a problem hiding this comment.
I don't believe we can use pakit for el9/c9s builds, we need various commit formats and approved bugs in commits.
There was a problem hiding this comment.
Looks like we might be able to do EPEL builds for c9s? re: https://github.com/containers/podman/blob/main/.packit.yaml
There was a problem hiding this comment.
We could do scratch EPEL builds, but the EPEL rules are that packages can't duplicate what's in RHEL so we can't package it there because it'll conflict and customers end up in a mess!
There was a problem hiding this comment.
The rule makes sense, though I wonder how podman is getting around it.
For our purposes, it seems like skipping c9s and EPEL would be wise.
There was a problem hiding this comment.
I am not sure I am following... The centos-stream9 builds are just builds triggered in packit's copr not Koji or any other downstream copr/dist-git or whatever so I don't think we need any commit formats/approved bugs or anything else. The packit produced RPMs will be useful to run the tests on the specific platforms and that what we needed, right?.
On the other hand, I might be wrong but the EPEL builds @miabbott is referring to are just copr builds of CentOS Stream 9 with the EPEL-next repo activated, nothing more, the resulting RPMs are not going to be in EPEL-next, they just need EPEL-next to be built. As we don't need any EPEL repository to build the FDO packages I will leave centos-stream9 as it is.
There was a problem hiding this comment.
TBH, I'm not terribly familiar with how Packit handles c9s, so I was just looking for examples of other projects using it.
To that point, osbuild is using it for all downstream builds - https://github.com/osbuild/osbuild-composer/blob/main/.packit.yaml
And looking at their dashboard from Packit, shows that the c9s builds are just going to a copr - https://dashboard.packit.dev/projects/github.com/osbuild/osbuild
So I'll walk back my statement about skipping c9s...seems like it is something we can try. (We'll still need to do manual work to get "official" c9s builds made...or invest in a bot to do it for us like the osbuild folks have)
There was a problem hiding this comment.
The rule makes sense, though I wonder how
podmanis getting around it.
Are they getting around it, I don't see any pakit builds in c9s for podman? https://kojihub.stream.rdu2.redhat.com/koji/packageinfo?packageID=1720
There was a problem hiding this comment.
I am not sure I am following... The centos-stream9 builds are just builds triggered in packit's copr not Koji or any
So by centos-stream9 builds you're actually referring to copr builds against the c9s? I thought you meant as in c9s proper, when read "centos-stream9 builds" I read it as official c9s builds not copr el9 builds. Anything in copr is fine.
| @@ -17,7 +17,7 @@ serde_cbor = "0.11" | |||
| serde_repr = "0.1.6" | |||
| serde_tuple = "0.5" | |||
| thiserror = "1" | |||
| aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" } | |||
| aws-nitro-enclaves-cose = "0.4.0" | |||
There was a problem hiding this comment.
so at which point do we fix the crate?
There was a problem hiding this comment.
when running update-vendor.sh script
| %if 0%{?rhel} >= 10 | ||
| %cargo_prep -v vendor | ||
| %else | ||
| %cargo_prep -V 1 | ||
| %cargo_prep -V 0 |
There was a problem hiding this comment.
Generates the vendored source at rpm build time? In the case of RHEL/c9s/eln/Fedora that is not going to work as they don't have out bound connectivity. For copr builds it depends on the repo config but it should be fine for CI builds in copr.
There was a problem hiding this comment.
From my tests it looks like the -V 1 specifies the source tarball containing the vendor files. Now those files are contained in the Source0 tarball and actually works
There was a problem hiding this comment.
I don't believe we want it all as single tarball.
There was a problem hiding this comment.
Could you please elaborate further on why we wouldn't want a single tarball?
There was a problem hiding this comment.
We don't build rhel/c9s using the Makefile, we need an srpm and the vendored tarfile with the dependencies, which is uploaded to the build system.
There was a problem hiding this comment.
We still need the vendored tarball in fedora for ELN builds don't we? and ELN is built from Fedora dist-git right? So we need the vendored tarball in all the distributions we build for, don't we?. What's the difference on shipping it in a separate tarball than alongside the source code? Other projects already do that like all the osbuild projects for example.
There was a problem hiding this comment.
What do the Fedora rust packaging guidelines say? https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/
I would personally like them to be separate.
There was a problem hiding this comment.
It literally says:
In general, packages SHOULD NOT use bundled crate dependencies, whenever possible.
So we are OK in Fedora as we don't use vendoring at all.
There was a problem hiding this comment.
So using a separate upstream and vendored sourced allows me to:
- Verify the upstream source hasn't changed from the github releases download to verify checksum etc
- Refresh the vendored source against an upstream release without having to change the upstream release source to deal with CVEs in the vendored source.
Having them separate is useful for a number of reasons. Please just update this to keep them separate.
There was a problem hiding this comment.
So using a separate upstream and vendored sourced allows me to:
- Verify the upstream source hasn't changed from the github releases download to verify checksum etc
Sorry but I don't get what's the difference. If you include the vendor directory within the release you still can verify the checksum exactly the same way.
- Refresh the vendored source against an upstream release without having to change the upstream release source to deal with CVEs in the vendored source.
Applying a CVE downstream without having to modify the upstream repo would be as simple as:
git clone https://github.com/fdo-rs/fido-device-onboard-rs.git
cd fido-device-onboard-rs
git checkout v0.5.0
# do the required modifications to address the CVE by changing dependencies and/or adding patches to the `patches` directory
./update-vendor.sh
git diff > cve-number.diff And use that cve-number.diff as patch in the dowstream repo.
Having them separate is useful for a number of reasons. Please just update this to keep them separate.
Sorry but I cannot update the PR to separate them, that's the whole point of this PR: to minimize hacks and to bring the filtered and patched vendor directory into the repo's source code. The only reason I see for now to not merge it is the problem I found regarding cargo add that I mentioned below. However that would be a minor problem that can be solved by:
rm -f .cargo/config.toml
cargo add ...
./update-vendor.sh
b9621db
to
e04c458
Compare
mmartinv
force-pushed
the
use-vendored-sources
branch
6 times, most recently
from
c8b2137
to
4d20924
Compare
|
I think that we are trying to accomplish too many things with these PR when we don't really need all those things. Here are my thoughts and what I understand to be "true" First of all, as I understand it, this project simply needs to check that things work in Fedora, thereby, as it was before, we only care about making copr builds in Fedora rawhide and the latest Fedora development, both for aarch64 and x86_64. We don't need to test that packages are built in rhel/c9s because we vendor everything, and since we compile everything ourselves """It Just Works""". It would be nice to have a rhel/c9s CI but as I've understood the PR, it does not replicate the way that we need to build things for rhel/c9s, so if it does not replicate it I would rather save time in CI and I wouldn't run rhel/c9s packaging tests. When things do not work in rhel/c9s we make specific patches for it in the specific c9s repo, but for "upstream-sake" we had the make-vendored-tarfile script over here too. Due to the way that packaging works in rhel/c9s we do not need a Makefile that spits out an RPM, we need a sprm and a separate tarball with the vendored dependencies. |
| replace-with = "vendored-sources" | ||
|
|
||
| [source.vendored-sources] | ||
| directory = "vendor" |
There was a problem hiding this comment.
this is going to use the vendored sourcesfor everyt build and we don't want that
There was a problem hiding this comment.
Well that's not actually true, the %cargo_prep macro overwrites it. Only when %cargo_prep -V 0 or %cargo_prep -v vendor the build will use vendored sources.
There was a problem hiding this comment.
Doing some additional tests I hit rust-lang/cargo#10729 so if we use vendoring as it is in this PR we will not be able to use cargo add anymore (at least in Fedora). I will change the strategy and remove the .cargo/config.toml and use a pre-commit script to update the vendor files whenever the Cargo.lock file is modified.
As we discussed in the refinement session we also need to enable CentOS Stream 9 builds at least.
We need to test the packaging itself and that the resulting RPMs work as expected. The way the RPMs are built in copr is basically the same as in dist-git I believe. Indeed, packit can propose downstream dist-git updates when a new version is released upstream so I think we could even automate some downstream work.
What's the difference compared to provide everything, the source code alongside the filtered and patched vendor files, in a single SRPM? Is there any problem I am not aware of? AFAIK osbuild guys already do that with osbuild-composer for example. |
mmartinv
force-pushed
the
use-vendored-sources
branch
3 times, most recently
from
e568337
to
792a69c
Compare
mmartinv
force-pushed
the
use-vendored-sources
branch
3 times, most recently
from
26b10e6
to
cd84756
Compare
Use official `aws-nitro-enclaves-cose` crate instead of a fixed fork. Signed-off-by: Miguel Martín <mmartinv@redhat.com>
Do not generate the vendor tarball in builds as we will use the patched and filtered `vendor` dir instead Signed-off-by: Miguel Martín <mmartinv@redhat.com>
mmartinv
force-pushed
the
use-vendored-sources
branch
from
cd84756
to
539fb0b
Compare
Use patched and filtered vendored sources for builds. Signed-off-by: Miguel Martín <mmartinv@redhat.com>
Update packit configuration to generate fedora, fedora-eln, centos and rhel packages. Add configuration to be able to propose downstream PR for Fedora dist-git. Signed-off-by: Miguel Martín <mmartinv@redhat.com>
mmartinv
force-pushed
the
use-vendored-sources
branch
from
539fb0b
to
afb61d7
Compare
aws-nitro-enclaves-cosecrate