-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit build process for dependencies #1037
Comments
In terms of the dependencies which build WASM (undici, cjs-module-lexer, llhttp) some of them currently using a docker file to dynamically build a container and use apk to install packages. I have a feeling that what we get from the apk install may change over time. We may be able to improve repeatability by building that docker image in advance and storing it in the GitHub container registry in the nodejs org. We could then use the same set of images across all projects were we build WASM binaries. |
The main problem we have right now is that builds are not repeatable because we dont keep track of certain informations such as version of the tools we use to install, package locks, sources itself. (example: dependency github project is deleted)
Feel free to edit and add more question, improve etc... |
I suggest using the same approach we used for automating dependencies. We could have a main track issue (possibly this one), and whenever we work on a specific version, we can create a separate issue to discuss it there. |
Please have a look at this PR nodejs/node#49747 |
acorn-walk
tools we use to install:
|
acorn
tools we use to install:
|
PR-URL: #50473 Refs: nodejs/security-wg#1037 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Paolo Insogna <[email protected]>
PR-URL: nodejs#50473 Refs: nodejs/security-wg#1037 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Paolo Insogna <[email protected]>
PR-URL: #50473 Refs: nodejs/security-wg#1037 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Paolo Insogna <[email protected]>
PR-URL: #50476 Refs: nodejs/security-wg#1037 Reviewed-By: James M Snell <[email protected]>
PR-URL: #50473 Refs: nodejs/security-wg#1037 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Paolo Insogna <[email protected]>
PR-URL: #50476 Refs: nodejs/security-wg#1037 Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#50476 Refs: nodejs/security-wg#1037 Reviewed-By: James M Snell <[email protected]>
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off. |
Work to improve the build process of deps that include WASM - #1236 |
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off. |
Following the great work in #828 I think the next step is to audit any build steps related to dependencies and tools used in those build steps from a repeatability and supply chain perspective.
For dependencies that only contain a direct copy of the original source code for the dependencies and are completely built from that source during the Node.js make process there should be nothing to do other than to confirm they fall into that category.
For others, which have additional build steps we'll want to see what gets used/pulled in during those build steps, and see if we are comfortable that we can get the exact versions of the tools used in the future and that we have enough information that we complete the build steps if needed for some future Node.js release in a way that generates the same result. If we dynamically pull in tools we should also confirm we are confident that the source is trusted and not a potential source of a supply chain attack.
A good example of this is undici were there are WASM binaries that are build outside of the Node.js make step. These use dynamically installed packages in a docker container. Would we get the same version of those packages if we installed them a year from now? If not we might be introducing unexpected changes as we do maintenance releases.
Lets go through each of the dependencies and categorize them into
Node.js make nodejs
Also note that we may need to not only look at the steps in the
tools/dep_updaters
directory but also look at the tools used to generate a new release of the dependency if what we copy over contains what would not be consideredoriginal source
.The text was updated successfully, but these errors were encountered: