Add prototype of inspec.lock

[stevendanna]

This adds a basic prototype of inspec.lock. When the lockfile exists on
disk, the dependencies tree is constructed using the information in the
lock file rather than using the resolver.

Signed-off-by: Steven Danna steve@chef.io

[ksubrama]

Comment: Make this an in-memory operation that doesn't render the lock file to disk.

[ksubrama]

So far so good. This makes sense as the "in progress" code that you walked me through this afternoon. I'm sure a lot of it will be refactored/rewritten soon - hence why most of my comments have a "Comment:" tag in them to denote that I'd simply like you to write a comment to that effect in there in case we don't get around to fixing that bit (you can never be too paranoid). I am 👍 on this.

[chris-rock]

should this be "file://#{target}"?

[chris-rock]

I think the inspec.lock is not generated in the right path. It should be generated within the root profile directory

$ b inspec vendor test/unit/mock/profiles/dependencies/inheritance 
$ cat test/unit/mock/profiles/dependencies/inheritance/inspec.lock
cat: test/unit/mock/profiles/dependencies/inheritance/inspec.lock: No such file or directory
$ cat inspec.lock 
---
lockfile_version: 0
depends: []

[chris-rock]

👍 that this is part of the profile

[chris-rock]

maybe should call that profile.dependencies. The lockfile is only a written form of all the dependencies. The word lockfile is confusing on top of profile, because a profile should only know about dependencies but not lockfiles. I would attache the lockfile to DependencySet, instead of the call I would give it a path where the expected lock file should be located

[chris-rock]

I think we should hand the whole lockfile methods into the Lockfile class and just call it from there. Resolved lockfiles result in Dependencies. I think a profile should not know about lockfiles, only dependencies

[stevendanna]

I agree we need to increase the separation between Lockfile and Profile. @ksubrama and I discussed that a bit and I think the work to change how profile loading works will drive some of that out. However, in terms of the lockfile_exists? method specifically, I'm not sure it is true that we don't want profile knowing about lockfiles at all since the lockfile now lives in the profile directory.

[chris-rock]

I am not fan of introducing side-effect to classes that should work independently. We should at least bundle that into the dependency implementation instead of the profile implementation

[stevendanna]

It really isn't clear to me how lockfile_exists?() is a side-effect? Whether a lockfile is inside the profile is a property of the profile and depends on information (the path to the profile) that you don't necessarily want to expose to users of the class.

[stevendanna]

I think the inspec.lock is not generated in the right path. It should be generated within the root profile directory

See my comment in-line re this. Currently vendor assumes you are in a profile.

[chris-rock]

cool to have that built in from the very beginning 👍

[chris-rock]

Thanks @stevendanna this works:

$ cd test/unit/mock/profiles/dependencies/inheritance
$ inspec vendor 
$ cat inspec.lock 
---
lockfile_version: 0
depends:
- name: profile_a
  resolved_source: file://../profile_a
  version_constraints: ">= 0"
  dependencies:
  - name: profile_c
    resolved_source: file://../profile_c
    version_constraints: ">= 0"
- name: profile_b
  resolved_source: file://../profile_b
  version_constraints: ">= 0"
- name: os-hardening
  resolved_source: https://github.com/dev-sec/tests-os-hardening/archive/master.tar.gz
  version_constraints: ">= 0"
  content_hash: d6c5299a7cdcce2040c157cc81cb2b21a85d3001493f8f3fb2aba175b9aa046c

[chris-rock]

discussed with @stevendanna, we are going to address my comments in later PRs

[stevendanna]

@chris-rock And I had an in-person discussions where we agreed that:

• The high-level coordination of Inspec::Profile, Inspec::Lockfile, and Inspec::DependencySet isn't right yet. We think that the right path here will get clearer as we work on scoping profile loading.
• The UX around the vendor command needs to be finalized. The path argument should probably be the path to the profile and then the lockfile should get placed at the same level as inspec.yml. The vendor directory can move to an option.

[chris-rock]

related to #888