Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Undici builds in Node 20.3.0 are non-repeatable #2157

Closed
sgallagher opened this issue Jun 13, 2023 · 4 comments
Closed

Undici builds in Node 20.3.0 are non-repeatable #2157

sgallagher opened this issue Jun 13, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@sgallagher
Copy link

Bug Description

The change introduced by 3c514d8 removes the ability to reproduce the wasi-sdk sources from the Node.js deliverables.

Reproducible By

In Fedora, we require that all of the sources for the software we deliver are available. Prior to this change, it was possible for us to interrogate the undici Dockerfile in order to identify which version of wasi-sdk was in use by Node.js so we could download the pristine sources from https://github.com/WebAssembly/wasi-sdk/releases/. After this change, there is no way that I can determine for identifying the actual provenance of these sources.

Expected Behavior

The exact version of the wasi-sdk sources that are bundled in the undici tarball needs to be readily-discoverable somewhere.

Logs & Screenshots

Up until Node.js 20.3.0, it was possible to scrape this information from the Dockerfile, as done here. While this was not ideal (best would be for the project to make a clear statement about the bundled versions), it was sufficient for our needs.

Environment

Fedora 37, 38
Node.js 20.3.0

Additional context

@sgallagher sgallagher added the bug Something isn't working label Jun 13, 2023
@ronag
Copy link
Member

ronag commented Jun 13, 2023

PR welcome

@mhdawson
Copy link
Member

@ronag I'm interested in helping to move the overall project towards more repeatable builds. I'm thinking we should have some sort of pattern that is recommended for building WASM across the Node.js project.

Before I start looking at that I'd just like to confirm that makes sense to you and you think @undici would be open to accepting a PR to adopt what we come up with

@nodejs/security-wg FYI as I think this could be one part of the work related to improving how we build/pull in dependencies now that we have the initial automation done.

@ronag
Copy link
Member

ronag commented Jun 13, 2023

SGTM!

mhdawson added a commit to mhdawson/undici that referenced this issue Jun 21, 2023
Refs: nodejs#2157

- adds generation of a wasm_build_env.txt file which contains
  information about version of tools used to build wasm
- updates the docuementation to make it clear that all files
  in lib/llhttp should be committed when an update is done
- fixes build/wasm.js to generate JS that passes the
  current linting configured for the project

Signed-off-by: Michael Dawson <[email protected]>
@mhdawson
Copy link
Member

#2168 was a first step and has landed. I checked that from what I can see the info should propagate into the Node.js tree one the next undici update. @ronag do you know when the next release might happen?

The next step I think is to consider consolidating the way we build WASM across components and have shared some initial thoughts in nodejs/security-wg#1037 (comment)

@Uzlopak Uzlopak closed this as completed Aug 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants