New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release buildtools for Windows as well #375
Comments
+1 I successfully built Buildozer and Buildifier at 220349f using Bazel 0.18.0 on Windows. |
I would be very happy to include Windows builds as part of an automated release process. |
What constitutes a release process? Just building it, or are there additional steps? |
BTW - for my particular use, I'm going for WSL - Windows Subsystem for Linux, so currently I don't support plain Windows for https://github.com/google/startup-os. |
This is difficulty is that we only have two sets of machines where we can build releases on:
Only code that has been 100% reviewed by Bazel core team members can run in the trusted zone in order to reduce risk of infecting the machines with malware and then accidentally shipping an infected version of Bazel to our users. You could run release builds in the untrusted zone and while I think we've done a pretty good job of keeping these machines clean, stateless and somewhat trustable, in theory someone could escape the sandbox on these machines and affect builds that come afterwards. On Linux / Windows we could somehow solve this by never recycling machines (always delete and start a fresh one), but for macOS we only have physical machines that we can't easily wipe clean after each job. Maybe that's still better than any other option. We can look into it, but currently have to do other tasks first. |
It sounds like we already have release builds for macOS (which mentions physical machines as a limit), but not Windows. I'm guessing the problem with Windows is getting the automation set up? I'm running into this trying to build https://github.com/jetstack/cert-manager, which depends on these release binaries through some platform-matching magic which fails on Windows. I'm building on a VM in the meantime, but it would be nice to have a faster edit-compile cycle that didn't involve syncing files between machines. 😬 |
Philipp:
Are the trusted BuildKite machines able to hold signing keys? The current
0.19.2 binary does not appear to be signed.
For many development shopts, we will have to provide signed Windows
binaries, both for the .exe itself and for any potential installers that
wrap them. If we can't do that on BuildKite, we should be investigating
alternatives.
…On Sat, Nov 24, 2018 at 7:07 PM Evan Anderson ***@***.***> wrote:
It sounds like we already have release builds for macOS (which mentions
physical machines as a limit), but not Windows. I'm guessing the problem
with Windows is getting the automation set up?
I'm running into this trying to build
https://github.com/jetstack/cert-manager, which depends on these release
binaries through some platform-matching magic which fails on Windows. I'm
building on a VM in the meantime, but it would be nice to have a faster
edit-compile cycle that didn't involve syncing files between machines. 😬
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#375 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AC5znHDJFyEhORkXeJ2B6tSDbDdFHZnRks5uyd81gaJpZM4Wqu9d>
.
|
Ping, we are using buildifier on Angular team now and our Windows devs are getting tripped up on formatting their changes to satisfy the CI /cc @ocombe |
Philipp:
If you want to explore ways we can automate the windows builds (and have
them signed), I'm happy to work with you on a plan. I built the tooling for
Drive File Stream to deliver signed binaries for Windows and Mac, so I am
very familiar with the available infrastructure and the issues.
…On Thu, Dec 20, 2018 at 10:31 AM Alex Eagle ***@***.***> wrote:
Ping, we are using buildifier on Angular team now and our Windows devs are
getting tripped up on formatting their changes to satisfy the CI
/cc @ocombe <https://github.com/ocombe>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#375 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AC5znAXEk0YEWTqryqOZjv3vtOuGOQ1dks5u661rgaJpZM4Wqu9d>
.
|
For Angular's developers, I'd be willing to manually create windows releases to publish to npm, at least for a short time.
|
@alexeagle : which Bazel version do you use and what command did you run? With Bazel 0.21.0 and at the 0.20.0 release tag (db07345), I can build Buildifier2: First, in Git Bash:
Then, in cmd.exe:
(For the record, I had to install diffutils and git under MSYS2, by running |
Buildtools project has been running and passing on Windows since #522 was merged. @vladmos How does buildtools got released, can we add Windows to the release now? |
@aiuto I don't know why I completely missed the ongoing discussion here on this bug. Sorry :( Yes, of course, let's get something working so we can produce code-signed Windows binaries for Bazel. We can securely store and use signing keys in our cloud project and use them from the trusted Windows machines. I'm not familiar with the tooling needed to do the signing on Windows, but it sounds like you are. I set the e-mail that just notified me about this issue to pop-up in my inbox when I'm back from vacation on April 2nd. Let's discuss then? |
Sounds good.
…On Mon, Feb 25, 2019 at 8:38 AM Philipp Wollermann ***@***.***> wrote:
@aiuto <https://github.com/aiuto> I don't know why I completely missed
the ongoing discussion here on this bug. Sorry :(
Yes, of course, let's get something working so we can produce code-signed
Windows binaries for Bazel. We can securely store and use signing keys in
our cloud project and use them from the trusted Windows machines.
I'm not familiar with the tooling needed to do the signing on Windows, but
it sounds like you are.
I set the e-mail that just notified me about this issue to pop-up in my
inbox when I'm back from vacation on April 2nd. Let's discuss then?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#375 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AC5znDrwSxCsmzysfu1Bvq2Tuu5P4gfUks5vQ-dDgaJpZM4Wqu9d>
.
|
Time to pick this (and general signing issues) up again. |
I have some things I can point you to about signing windows builds and verifying that they were signed correctly. But they are internal code so I can't put the link here. It's easy for me to point you at the relevant things so you could do an equivalent. At your convenience. |
@aiuto Unfortunately I'm on sick-leave this week, but let's get this done soon. I've added a tracking bug in our CI repo so that I don't forget about this. Can you send me pointers to how this would work? I guess the rough flow is:
Is that about right? |
Yes. That is about right. There are internal resources for buying certs and
how to get the security audit for handling them. I'll send a pointer
offline about those.
…On Thu, Apr 4, 2019 at 8:03 AM Philipp Wollermann ***@***.***> wrote:
@aiuto <https://github.com/aiuto> Unfortunately I'm on sick-leave this
week, but let's get this done soon. I've added a tracking bug in our CI
repo so that I don't forget about this.
Can you send me pointers to how this would work? I guess the rough flow is:
- We have to get a code-signing certificate from somewhere.
- We have to store this encrypted securely in our trusted GCP project.
- We create a pipeline to do buildtools releases via Buildkite.
- We add the step that uses the code-signing certificate to turn the
unsigned .exe into a signed .exe and then release that one. (I guess
signing a file is a matter of calling some command-line tool?)
Is that about right?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#375 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AC5znKE6bjC7INd8QLYo_zDAIeNncUIEks5vdeoRgaJpZM4Wqu9d>
.
|
Windows binaries are available starting with 0.25.1 released today: https://github.com/bazelbuild/buildtools/releases/tag/0.25.1 They are supposed to be fully functional, however it the first time we've released Windows binaries, please let us know if there are any platform-specific issues. |
@vladmos I think it would be good to update the following docs - https://docs.bazel.build/versions/master/build-javascript.html#step-4-linting
|
Related bazelbuild/buildtools#375 RELNOTES: None PiperOrigin-RevId: 352787916
Thanks for noticing, the documentation has already been fixed. |
The repo releases:
https://github.com/bazelbuild/buildtools/releases
only contain Linux and Mac binaries. Would be nice to also have Windows there :-)
The text was updated successfully, but these errors were encountered: