Scan plugin #528
Scan plugin #528
Conversation
gtardif
force-pushed
the
scan_plugin
branch
4 times, most recently
from
a37ac00
to
e98d060
Compare
|
PTAL @thaJeztah |
rpm/SPECS/docker-ce-cli.spec
Outdated
| yum install -y http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm | ||
| yum install -y git | ||
| fi | ||
| git version |
There was a problem hiding this comment.
Why do we need a custom git install? I see git is already in the BuildRequires;
I see the commit mentions "really old version by default that messes go mod download" do you have more details on that? That sounds like a serious issue with Golang if it cannot work with a major distro such as RHEL / CentOS 7
There was a problem hiding this comment.
more specifically, go mod download is failing because git version on centos7 is 1.8 (anything before git 2.16 is EOL from https://en.wikipedia.org/wiki/Git#Releases). Updating git allows go mod download to succeed, no further issues compiling.
See golang/go#38373 for the go issue and solution.
I'll update the PR to mention this comment for better documentation in the code
There was a problem hiding this comment.
anything before git 2.16 is EOL from https://en.wikipedia.org/wiki/Git#Releases
Yes, upstream releases are EOL, but the CentOS/RHEL versions of Git 1.8 are still maintained (it's kinda horrible, but that's what makes RHEL/CentOS popular as an LTS distro).
I want to avoid installing a non-standard git package in our build-pipeline; especially downloaded over a non-TLS connection. Also not sure if they changed, but I recall (long time ago; when SVN was common) some of the wandisco installers included tracking, which I also want to avoid. (git itself mentions https://repo.ius.io, which could be an alternative).
However, I did a bit more digging for alternatives; the Dockerfile currently uses GOPROXY=direct, which (IIRC) was added to allow building from private forks for security releases;
I did some testing and if we switch to the default (GOPROXY=https://proxy.golang.org), Go won't use git to fetch the modules, making the build pass; I pushed a "draft" PR with that change; #530, but can push to your branch if you prefer
There was a problem hiding this comment.
Thx, I took your update and included GOPROXY here instead of updating git (Indeed I understand we don't want to change the installed packages for the entire CI pipeline). Squashed and added on top of updated scan-cli-plugin version, that simplifies make invocation
gtardif
force-pushed
the
scan_plugin
branch
2 times, most recently
from
8a2317e
to
07f33e6
Compare
gtardif
force-pushed
the
scan_plugin
branch
2 times, most recently
from
3bb7d99
to
af2bf79
Compare
Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
Alternative solution was to update git on centos7 in /rpm/SPEC/docker-ce-cli.spec:
```
if [ "$SUITE" == "7" ]; then
yum install -y http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm
yum install -y git
fi
```
But rather not changing what is installed on the CEnTOS bistro for the entire CI pipeline
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
|
👍 rebased |
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
Add scan CLI plugin in CE packaging