-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC Dependencies #888
Comments
🍒 | 🍎 | 🍌🍉 | 🍒 | 🍓🍏 | 🍉 | 🍒 |
This commit is the foundation of the dependency resolution as described in #888 . It currently only works with local dependencies, as seen in the example inheritance profile. Tests and full resolution are coming next on the path to an MVP implementation.
This commit is the foundation of the dependency resolution as described in #888 . It currently only works with local dependencies, as seen in the example inheritance profile. Tests and full resolution are coming next on the path to an MVP implementation.
As you guys are working on the feature, I would like to know how the default supermarket URL will be resolved? I've seen bugs, where default URL is hardcoded to public supermarket (supermarket.chef.io), which blows up inside firewalled environment where customer has their own supermarket running. Please consider how/where this URL will be fetched from, and where/how it can be overwritten to point to internal source by default. |
Is there a page with words that describes (9) ? |
In addition to @vinyar the same challenge will happen with our
One solution could be to use the compliance and supermarket url from |
This commit is the foundation of the dependency resolution as described in #888 . It currently only works with local dependencies, as seen in the example inheritance profile. Tests and full resolution are coming next on the path to an MVP implementation.
This commit is the foundation of the dependency resolution as described in #888 . It currently only works with local dependencies, as seen in the example inheritance profile. Tests and full resolution are coming next on the path to an MVP implementation.
@vinyar @chris-rock fun story, this might even happen to github prefix ;) To address it, we have 2 options afaics
|
@vinyar added a lot of text around scoping |
Proposing a |
@alexpop great idea to support git directly |
(A) Is the (B) Is (C) I like the idea of defining a source per dependency. But this creates the need to be able to override these locations for environments that don't have direct access to them or have a policy to review and store all dependencies before using. Let's take this for example, where gitlab is a local git repository:
(C1) Passing overriding options to inspec can get wordy very fast and lacks granularity. (C2) Not wordy for inspec and very granular is to use a file, similar to (C3) Like (C2) but without another file, but instead using (D) Should probably design the sources to receive parameters. So, instead of:
have something like this:
same way berkshelf is doing it. |
Dom (8) isn't include_controls (all) and require_controls(selective)? |
@arlimus there is also another problem outside of the realm of compliance, is that presently supermarket does not support publishing profiles via command line or even curl. |
Re My vote would be that we do not support these parts of semver. |
This commit is the foundation of the dependency resolution as described in #888 . It currently only works with local dependencies, as seen in the example inheritance profile. Tests and full resolution are coming next on the path to an MVP implementation.
@alexpop thank you, fixed 👍 :) |
@stevendanna We don't have a use-case for these yet, so happy to keep the feature-set small. 👍 |
I'm having trouble understanding how some of this dependency RFC will work. It mixes some ideas from dependency systems that do minimal version management and others that do full dependency resolution, usually using a central index of the universe of available packages to speed up the process. Here is a more basic question that I think we should spell out more explicitly: Consider: A depends on B and C with no version constraints. B and C depends on D with no version constrains but from different sources. (You can create other examples with completing versions). It seems in this case we have a few options:
Or am I missing an option? Or more generally: For a given dependency "X" are we going to try to find a single version of X to try to load into the app or will we allow for multiple versions. |
I'd also like to see us spec out some of the UX of how you will interact with this feature. It seems to me the core operation of a tool like this are:
|
@arlimus After discussing this with @chris-rock a bit, I think an important point to discuss and make a bit more explicit in this RFC is how dependency will be scoped and the impact that has on the features we need in the dependency resolution. From our discussion, I believe one of the goals of this work is to allow two different versions of the same dependencies to be loaded at the same time. For example, you might have a dependency tree that looks like:
This proposes that we change inspec such that code inside B can reference code inside D and be sure it is getting the 1.0.0 version of the code, while code inside C can reference code inside D and be sure it is getting the 2.0.0 version of the code. Is this a correct characterization of part of the feature being proposed? If so, it leads to a follow-on thought: Is there utility in including the version operators at all. In the dependency management systems I've used (I'm by no means an expert) one of the major reason to include the version operators is because the runtime can only load a single version of a given dependency. Packages use version constraints to ensure that the single version that is loaded is within the range of versions it supports. The package manager solves the constraint problem after getting version constraint information from every source to ensure it has the full universe of dependencies. However, in the world describe above, it seems that the version constraints would only be used to limit which version is fetched in the absence of a lockfile. However, most of the proposed sources don't have a standard API for exposing information about the available versions. |
Great discussion with @stevendanna and @chris-rock : Which sources do we have that provide version information in an index?
Ideas:
I'll update the spec:
|
Follow up #798 around dependency resolution.
Design
(1) dependencies are written in
inspec.yml
:(2) dependencies are based on semantic versioning: http://semver.org/ . Dependencies do not support alpha/pre-release information (9, 10) (see comment)
(3) dependency version constraints are specified with:
with
op
being<
,>
,<=
,>=
,=
,!=
or~>
. Multiple constraints may be specified. Whitespaces are optional. Whitespaces in version numbers are not supported.(4) each dependency has one source, with the default pointing to
supermarket
. sources can be specified via:(5) upon resolution, a lockfile is created in
inspec.lock
. If this lockfile exists, dependencies are not resolved but taken from this file intead.(6) dependencies are vendored to a local cache in
${inspec-home}/cache
. Users may specify a custom vendor location.(7) dependencies provide their library functions the profile (without additional specification). For example: Resources that are defined in libraries are available to the profile that requires it.
(8) dependencies may provide controls via
include_controls
(all) orrequire_controls
(selective). If none of these are used, dependencies will not execute or report on any controls.(9) dependencies are scoped with their name. scoping applies to all aspects, including resources, controls, and attributes. resources are added to the global space if there is no conflict.
... and discuss 😁
scoping
All profiles have a simple name. Names are short, to the point (and should not contain spaces). Example:
ssh
,cis-centos6-lvl1
When a profile is pulled in via dependencies, its name may be overwritten. This allows the inclusion of 2 profiles with the same name. Example: my
ssh
becomesmy-ssh
while upstreamssh
becomesupstream-ssh
. It's done via thename
field:All profile resources, controls, attributes, and other future artifacts are scoped under this name. Controls and attributes must always follow the name convention, resources may be added to a shared global scope but may overwrite existing resource with this name.
sources
The following types are supported:
path
Profile which is located in a folder on disk. This should only be used for development and debugging.
Does not support version constraints. The folder must exist. If it doesn't, throw an error.
url
Fixed HTTP/HTTPS-based URL which contains a profile. To retrieve the profile use a HTTP
GET
operation. The profile is provided in eitherzip
,tar
, ortar.gz
format. If the download fails or doesn't provide the expected format, throw an error.supermarket
,git
, andgithub
These sources are translated into a URL upon resolution. All support version indexing. For versions to be indexed, they must be provided via semantic versioning as git tags.
Git is the basic mechanism, which supports an optional branch, tag, commit, or version specification. Version specs are resolved via tags matching semantic versioning patterns. If a version constraint cannot be resolved, an error is thrown.
Github and supermarket build on this source and support all
git
options:MVP
inspec.yml
path
-based and does not require version resolutioninclude_controls
andrequire_controls
Slices
MVP
The text was updated successfully, but these errors were encountered: