Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

switch freetype to clone source from GitHub #3188

Merged
merged 7 commits into from
Jan 3, 2023
Merged

switch freetype to clone source from GitHub #3188

merged 7 commits into from
Jan 3, 2023

Conversation

gdams
Copy link
Member

@gdams gdams commented Dec 20, 2022
edited

Now that the FreeType source is available in GitHub we should switch to cloning the FreeType source from there rather than relying on our mirror on the Jenkins server. Not only does this mean we don't have to update the mirror each time we bump the version, but it also means that we can use an immutable SHA in the SBOM.

Checking with @andrew-m-leonard that I've set the details in the SBOM correctly. Ultimately I've switched to us storing https://github.com/freetype/freetype/commit/${FREETYPE_SHA} (matching the way we store other Git refs in the SBOM.

Note that compiling the FreeType source from GitHub adds a dependency on automake for the macOS builds. This doesn't seem to be present on our current build machines so will need adding (I can submit a PR to the infra repo)

@gdams gdams mentioned this pull request Dec 20, 2022
Merged
6 tasks
@github-actions github-actions bot added the macos Issues that affect or relate to the MAC OS label Dec 20, 2022
This was referenced Dec 22, 2022
Open
Draft
@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS and removed macos Issues that affect or relate to the MAC OS labels Dec 22, 2022
sxa
sxa reviewed Dec 23, 2022
View reviewed changes
Copy link
Member

@sxa sxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of points:

  • This is potentially leaving us slightly more open to risk because while we are recording the SHA we're not using that for the clone so there is a possibility of undetected corruption of the branch in the upstream repository causing problems (unless the SBOMs are checked for changes), which is not a risk with the fixed SHA which we verify from our download server.
  • If the version in github is the same as the one we're currently downloading, where has the extra macos dependency come from? That would suggest they're not the same.

@gdams
Copy link
Member Author

gdams commented Dec 23, 2022

This is potentially leaving us slightly more open to risk because while we are recording the SHA we're not using that for the clone so there is a possibility of undetected corruption of the branch in the upstream repository causing problems (unless the SBOMs are checked for changes), which is not a risk with the fixed SHA which we verify from our download server.

I was thinking about this, one option I'd considered was passing the git ref rather than the tag name, that way it cannot be corrupted, what do you think?

If the version in github is the same as the one we're currently downloading, where has the extra macos dependency come from? That would suggest they're not the same.

It appears that the one we currently host has had autogen already run on it so we can skip straight to running configure/make. The GitHub source doesn't have this hence the change and added dependency.

@sxa
Copy link
Member

sxa commented Dec 23, 2022

This is potentially leaving us slightly more open to risk because while we are recording the SHA we're not using that for the clone

I was thinking about this, one option I'd considered was passing the git ref rather than the tag name, that way it cannot be corrupted, what do you think?

Yeah it's the only real way of protecting against an unexpected upstream change I think - or we could extract as you currently are and then just check that the list commit matches an "expected" SHA (Similar to what we were doing with the download) which could flag it if the upstream had done something silly. I think I'd prefer one of those two options. I'd lean a little more towards the second but ok with either.

If the version in github is the same as the one we're currently downloading, where has the extra macos dependency come from? That would suggest they're not the same.

It appears that the one we currently host has had autogen already run on it so we can skip straight to running configure/make. The GitHub source doesn't have this hence the change and added dependency.

Interesting - ok that explains it. Hopefully that's the only difference and we won't end up with any functional differences as a result of us generating ourselves.

@gdams
Copy link
Member Author

gdams commented Dec 24, 2022

Yeah it's the only real way of protecting against an unexpected upstream change I think - or we could extract as you currently are and then just check that the list commit matches an "expected" SHA (Similar to what we were doing with the download) which could flag it if the upstream had done something silly. I think I'd prefer one of those two options. I'd lean a little more towards the second but ok with either.

Okay I'll look at setting that up

Interesting - ok that explains it. Hopefully that's the only difference and we won't end up with any functional differences as a result of us generating ourselves.

I've done a diff and that's the only change between ours and theirs

@github-actions github-actions bot added windows Issues that affect or relate to the WINDOWS OS macos Issues that affect or relate to the MAC OS and removed macos Issues that affect or relate to the MAC OS labels Dec 24, 2022
@github-actions github-actions bot added macos Issues that affect or relate to the MAC OS and removed macos Issues that affect or relate to the MAC OS labels Dec 24, 2022
@karianna karianna requested a review from sxa December 26, 2022 21:44
karianna
karianna approved these changes Jan 2, 2023
View reviewed changes
Copy link
Contributor

@karianna karianna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

sxa
sxa approved these changes Jan 3, 2023
View reviewed changes
Copy link
Member

@sxa sxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the change. I'm ok with this now but it would be good to have an explicit 'ok from @andrew-m-leonard too on this if he's around today.

@gdams
Copy link
Member Author

gdams commented Jan 3, 2023

Thanks @sxa, can you also approve adoptium/infrastructure#2860 as it's a prerequisite?

@gdams gdams merged commit 9204887 into adoptium:master Jan 3, 2023
@gdams gdams deleted the freetype branch January 3, 2023 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karianna karianna karianna approved these changes

@sxa sxa sxa approved these changes

@andrew-m-leonard andrew-m-leonard andrew-m-leonard approved these changes

Assignees
No one assigned
Labels
macos Issues that affect or relate to the MAC OS windows Issues that affect or relate to the WINDOWS OS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@gdams @sxa @karianna @andrew-m-leonard