Can we still (Foreman) RPMs without internet access?
- Defiantly, the build results are only static assets. (and imh, should be served from a micro-service)
Reminds me of https://www.reddit.com/user/Defiantly_Not_A_Bot
I do wonder where we store all the resulting bundles. Do we expect
plugin authors to include them in gem releases? Do we expect packaging
to carry these files for every branch? This sounds like a maintenance
disaster but I could be missing something.
Also note that currently users can install foreman-assets, make a change
in the code and recompile assets to change their local installation. If
we only store the resulting bundles then this is lost. Do we want to
limit our users in that freedom?
Currently we are also safe from leftpad situations because we have
copies of all our sources. This allows us to rebuild all our packages
even if NPM would be unreachable (DDoS, service outage, firewalls).
Can we see which licenses are used?
That page doesn’t load unless I include a ton of javascript sources from
third parties. Can’t say if it’s what I’m looking for so I’ll explain.
Some licenses require you to ship the license or it’s considered a
violation of the license. This is why you see Android and Apple both
having a lot of open source licenses when you go to the legal info page.
Other licenses can be incompatible. We already do a poor job of caring
about this, but we shouldn’t do a worse job either.
Can we see which source packages + versions are used?
- Yes, like the
Gemfile.lock
, today, npm and yarn create package-lock.json
and yarn.lock
.
Is this the kind of solution we are looking for?
So that means I need to go over every repo what ships webpack sources?
It can be a start but personally I hate lockfiles. IMHO you should
always specify dependencies you can work with and find the best match
that’s possible.
Can we track security issues in dependencies?
Is there a way to see this for branches? If we can’t see it for releases
it’s not that useful.
Is the modules blob arch-specific and do we need to generate one for x86 and one for arm? Is it even OS-specific and do we need 1 for Debian (Stretch), 1 for EL7 and 2 for Ubuntu (Xenial, Bionic)?
- No afaik, the build results meant to run in a browser and shouldn’t use any “native extention”.
It is an OS-specific (not sure in what level) only when you build your code to run on the machine itslef (NodeJS)
I think it was more that I was considering that we want something that
fits the above requirements. Then you probably want the node modules
something.
How much disk space will we need to store them?
- The node_modules folder can be really heavy, especially when you install your
dev-dependecy
on the machine. On my machine, it’s 500M while the build results are 5.2M
therefore, I changed my mind and I think we should save only the lock file (704K). I think this should be our signature.
Agreed that storing entire module bundles is undesired, but there are
big benefits of having access to the actual sources.
How do we ensure the vendor.js in foreman.rpm won’t break plugin-bundle.js when something updates?
- That’s a really good question! Afaik, right now, we are ensuring it by building the core and the plugins together. so you can’t really update the core without update the plugins or the opposite.
I think we need to find a solution where we can build core and plugins (each plugin) separately and independently.
I’ve been arguing that we need a solution for that because they’ve
always been independent. Plugins have been carried to multiple newer
releases and were only rebuilt if needed. If this becomes a requirement
it means we really need to re-engineer our build pipeline for everything
that uses webpack and trigger rebuilds on reverse dependencies. It’s
probably best to automatically create an exact requirement in the RPMs
if they’re so tightly coupled.
I wonder what the implications of this are for Katello and being to
release independently. We can probably still revbump on the packaging
side but I might be missing something.