-
Notifications
You must be signed in to change notification settings - Fork 572
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Undici builds in Node 20.3.0 are non-repeatable #2157
Comments
PR welcome |
@ronag I'm interested in helping to move the overall project towards more repeatable builds. I'm thinking we should have some sort of pattern that is recommended for building WASM across the Node.js project. Before I start looking at that I'd just like to confirm that makes sense to you and you think @undici would be open to accepting a PR to adopt what we come up with @nodejs/security-wg FYI as I think this could be one part of the work related to improving how we build/pull in dependencies now that we have the initial automation done. |
SGTM! |
Refs: nodejs#2157 - adds generation of a wasm_build_env.txt file which contains information about version of tools used to build wasm - updates the docuementation to make it clear that all files in lib/llhttp should be committed when an update is done - fixes build/wasm.js to generate JS that passes the current linting configured for the project Signed-off-by: Michael Dawson <[email protected]>
#2168 was a first step and has landed. I checked that from what I can see the info should propagate into the Node.js tree one the next undici update. @ronag do you know when the next release might happen? The next step I think is to consider consolidating the way we build WASM across components and have shared some initial thoughts in nodejs/security-wg#1037 (comment) |
Bug Description
The change introduced by 3c514d8 removes the ability to reproduce the wasi-sdk sources from the Node.js deliverables.
Reproducible By
In Fedora, we require that all of the sources for the software we deliver are available. Prior to this change, it was possible for us to interrogate the undici
Dockerfile
in order to identify which version of wasi-sdk was in use by Node.js so we could download the pristine sources from https://github.com/WebAssembly/wasi-sdk/releases/. After this change, there is no way that I can determine for identifying the actual provenance of these sources.Expected Behavior
The exact version of the wasi-sdk sources that are bundled in the undici tarball needs to be readily-discoverable somewhere.
Logs & Screenshots
Up until Node.js 20.3.0, it was possible to scrape this information from the Dockerfile, as done here. While this was not ideal (best would be for the project to make a clear statement about the bundled versions), it was sufficient for our needs.
Environment
Fedora 37, 38
Node.js 20.3.0
Additional context
The text was updated successfully, but these errors were encountered: