[sync Webclient] Production deployed with build compiled from some hidden place but not from this repository

[vladimiry]

Deployed production version: 3.15.7
Repository version: 3.15.5

So the project is open-source, but production deployed from some hidden repository.

Expected behavior

• Deployed to production build always matches the code in this repository.
• In along with deploying, CI job creates the respective tag or release in this repository. So it's clear which exact commit is deployed.
• An option to verify that deployed to production version has been built from the code in this repository. Ideally linked to this repository CI server does all the job of building and deploying, so anyone concerned could review the CI logs.

To Reproduce

[ArcanisCz]

In open source project, especially security related ones, builds should really be reproducible. Not only matching versions, but file (and libraries) hashes too.

[dhoko]

100% agree, it's a wip :)
We must provide checksums, way to install the same config, dist sources etc.

[ArcanisCz]

awesome :)

[vladimiry]

By the way, it happens again. Production got deployed with possibly shady build again. Shady means deployed with build taken from some hidden place, but not from this repository.

Deployed production version: 3.15.14
Repository version: 3.15.13

[dhoko]

Oups :/ It's fixed now

[vladimiry]

Here we are again:

[dhoko]

My bad, I forgot to sync. :/

[vladimiry]

Thanks.

It's unrelated, but https://beta.protonmail.com/ is not loading with integrity checking errors in dev console.

[dhoko]

@vladimiry there was an issue with the build on beta :/ cf #148

[vladimiry]

git: 3.15.27
live: 3.15.29

[dhoko]

voilà ;)

[vladimiry]

Friendly reminding (need to update ElectronMail before new release).

[dhoko]

Voilà, sorry we needed to debug something 😁

[vladimiry]

3.16.3 has not been published here.

[vladimiry]

ping

[vladimiry]

ping (7 days source code publishing lag)

[vladimiry]

ping (8 days source code publishing lag)

[EpokK]

@vladimiry done.

[vladimiry]

Thanks. Any progress in automating the code publishing process or even better deploying from the public repo? As a temporary supporting solution, I guess an automated notification triggered by new release event could be set up. This notification would inform the concerned parties that the code needs to be published here.

[EpokK]

We are currently refactoring Proton web-apps in React for version 4, all repo are currently public and available there. Our attention is more on the new version than the old Angular repo. For next release on that one, we will add attention to sync repos properly.

[vladimiry]

beta 11 is not shared yet but deployed.

Besides I guess proton-mail-settings + proton-contacts + proton-calendar should be published too as they supposed to use updated proton-shared project.

Please don't miss syncing package lock files.

[vladimiry]

v4.0.0-beta13 is live now but not published here yet. Please also publish all the related projects if they have been updated, and lock files too.

[vladimiry]

@dhoko do I get it right that the DKIM-related issue detected in beta 16 was somewhere in backend side and that's why I see no changes in client repositories after beta 16 got re-deployed today? Asking since I'm trying to realize if I need to rebuild the WebClient/proton-mail-settings/proton-contacts/proton-calendar event though there was no code update nor in the lock files.

[dhoko]

@vladimiry Yep, we switched back the beta to go back to the 15. The fix is now available on the API side, that's why we deployed the beta 16 again (it's the same bundle we built the first time).

No need to rebuild the beta 16, if you did it a few days ago. 👍