Hermetic Builds: CI, bootstrapping and version pinnig #2057
Comments
|
TBF, I would just wait for making any more decisions and changes. MSFT is designing per-repo tools which should (I hope) solve many (all... if MSFT will design it correctly) mentioned problems. |
|
For reference- GH comment describing some plans for per-repo tools - https://github.com/dotnet/cli/issues/9782#issuecomment-410033494. |
|
Didn't see that recent comment by @KathleenDollard but it sounds great, repo tools in As Microsoft tooling is in an awkward position so are all global tools that interact with the build. Waiting (Potentially with better docs) could be a solution but it depends on how much the wait is, and how easily people will be able to upgrade (For now core seem to be pretty upgrade-able) Big advantage of well designed repo tools is that they would also solve the problem for a netcore-paket. |
|
First: Thanks for the detailed write up. Now let me try to go into that:
No we didn’t. What we did is provide additional installation option and they can ba very helpful in a lot of scenarios. And as they are “new” I guess people have the impression they are the “right” way to use fake 5 now. Look at the linked fake-bootstrap repository. All of the suggested solution “lock” the fake version in one way or another. And one of them even allows you to version “dotnet-fake” in your paket lockfile. The general workflow is (leaving out global tool for a second):
Or
It cannot really get easier than that. And the fake repository itself uses that. Ok that said let me explain on how I see global installation. First, the term alone “global” clearly indicates that it isn’t what you want, so I’m not sure why you are using it? Second, I think it is a new and easy way to get started with fake 5 and in particular its scripting capabilities. It allows us to use F# scripts pretty much everywhere without an existing fsi or dotnet sdk installation. This is why I feel we need to support chocolatey and the various native package managers. Generally, I don’t think it is a huge problem using a global fake installation for building a repository on a local development maching as the impact of the runtime to your build script should be minimal (by design). Don’t forget that a global tool falling back to a local tool still has an nonzero impact as the fallback algorithm can fail or be faulty. The current approach with fake might be a bit higher but not too much. Let me explain a bit how fake 5 works:
So what can actually change between fake versions:
Given the strict compatibility requirements from microsoft and the lockfile all are very very unlikely. So I hope that enlightened my point of view on this. |
|
So basically what's left to do:
What I'm probably not doing:
Any other things we can do to improve the situation? |
|
I personally think that using the global tool install with a pinned version in a script does exactly what it sounds like @vbfox wants. That way you will always have the version you specified on your pin/lock. It's not a true global tool, it's a repo level tool which is installed to a specific version |
|
Though I do agree with the improved documentation. I think we should agree on a couple of ways to install and we'll document it with examples (like @matthid examples repo) I also think that the existing documentation is great I was able to follow it and I've never used the dot net cli before now. Imo, the best ways to install are:
Each has a different use case, so if these are explained with the pros and cons, it gives people the best chance of choosing what fits their needs. |
|
We could also update the fake-template scripts to uninstall/reinstall in order to update. Sadly, |
|
@kblohm yeah I found that issue with update, hence why I suggested using the script to purge the install location and then installing again. |
|
Why not "ignore" global tools until we can properly use them. Why try to make them work and invest time in fixing the issues? |
|
Based on people consuming the modules from nuget, how much effort is it to push the cli into a nuget package which someone can consume via paket with a locked version? |
|
@BlythMeister Isn't this exactly what I already linked above: https://github.com/FakeBuild/fake-bootstrap/tree/paket_clitool?files=1 ? |
|
Kinda, but I'm not sure using paket cli how you can lock to a specific version in the dependencies file...if that's possible, then I'm not really sure what the deal is with this issue. |
I can only assume that we need to fix/clarify the documentation. But I'm also not exactly sure what to do or what to write. Suggestions would be welcome. |
|
Ahh I used to use the paket cli route, but moved away...maybe that was better....the need for a paket reference file was a bit odd if I remember |
One thing I want to be clear is that I don't think there is a problem of availability. There are ways to get hermetic builds, I know how to and I can isolate myself and just use them. But I think FAKE can do better than make it possible, it can make it easy and obvious. The three things I wanted to discuss in this issue are:
There has been an explosion of new ways to do things with cli tools, global tools, ... and FAKE can use a lot of them one way or another, there is more a problem of too much ways to do it than something missing (Except for simplicity maybe) I shouldn't have ended my issue with a suggestion of change, and kept it on the guidance/documentation level. There are a few things that can be implemented but we can keep this discussion separate.
Yes I think that we can agree that going for a big complex solution, like the paket boostrapper would be overkill with Microsoft having a lot better one around the corner.
The problem with always reinstalling is that it isn't the fastest operation... far from it, having a local
We had all 3 break one way or another, and we currently pin all 3. FAKE adding the possibility to break on either of these cases doesn't sound great (Granted it's better than if FAKE contained all it's libs)
I'll try a PR for the website not sure you'll like it but maybe it will be more constructive 😉 |
|
I'm open for concrete PRs regarding documentation, guideline and implementation changes. However I'm closing this stale discussion, but feel free to open another issue if there are still some open points to discuss. I'm fine with guiding users into a particular way of using FAKE as long as the other options are documented elsewhere and the way we guide users is "easy to follow" (whatever that means). |
This issue follow the twitter discussion on the subject of bootstrapping FAKE and how the global tool can be inadequate.
CC. @forki @matthid @BlythMeister @vivainio @Krzysztof-Cieslak @Rickasaurus @theimowski as you were involved in the discussion.
What do I/we want ?
Hermetic Builds citing the Google SRE Book :
It's hard to be perfect in this domain as at some point you might need to emulate hardware to ensure that a build is repeatable on a different system. But we should aim for most tools to work to enable that goal as much as possible.
FAKE as a tool that drive the build need to be aware of these problems and provide solutions for them. Even if they aren't the default as the needs of first time users and of more professional teams won't be the same there should be an easy, well documented path from one to the other.
There are 2 main aspects of FAKE affected :
This issue will concentrate on the first problem as the changes between FAKE 4 and FAKE 5 affected it and I think that we need a discussion around it.
Where do we want it ?
Two main cases to distinguish :
But realistically for technological and speed reasons build are often done on shared builders where having state affecting one build from the next is a big problem.
Some machines even have multiple builders doing builds in parallel making it even worse.
Each of theses should be a repeatable, independent build. Other builds running at the same time or before shouldn't affect them and the build that will later happen on the build server for the same source code should produce the same result.
Where is FAKE now ?
In the FAKE 4 world the tool binary was provided from NuGet, typically via paket and it's version was pinned there, there was no problem with that approach as it fully moved the problem to paket itself (and it's bootstrapper).
FAKE 5 took the path of using a global tool and by doing that make version pinning quite hard, let's see the problems with the approaches presented :
dotnet fake. The best solution for now. The potential problems are that it need a "dummy" project and only works on the root directory but that's not too much.A (small) survey of the rest of the world
How are some other tools doing, and what solution do they offer :
yarn.jsfile that can be downloaded and placed in the repository. Upgrade is more annoying (And create a non-reviewable PR) but everyone uses the same version.gulpoffer a best of both world approach with a global install that use a local install if present or embed a fully functional version otherwise.Proposed solution
I think that the long term solution when dotnet will get repo-tools is to do like gulp does. But in the interim we can still approach that level of integration.
A road toward that could look like this :
Build.projorRepo.proj)dotnet fakeinstead of doing anything directly (It could also have a command line flag to generate it in the current folder).Remark
I'll try to do a blog post on the subject but I also had some success by using fake libs in a project run via
dotnet runit has some nice advantages and as I'm not the only one investigating here it could be worth it to have an advanced use page one the FAKE website documenting this practice.But I don't think it should be cited prominently if it's one day suggested.
The text was updated successfully, but these errors were encountered: