Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.0.1: please make comprehensive source archive #5046

Closed
onlyjob opened this issue May 15, 2016 · 9 comments
Closed

3.0.1: please make comprehensive source archive #5046

onlyjob opened this issue May 15, 2016 · 9 comments

Comments

@onlyjob
Copy link
Contributor

onlyjob commented May 15, 2016

3.0.1 introduced regression (somewhat) where source archive is not comprehensive any more because it does not contain all the sources needed to build Grafana.

On Debian, all packages are built from source on secure build servers without internet access so builds are reproducible and do not depend on availability of external resources.
It is not possible to download anything during build.

It would be great to commit all downloadable (by npm, grunt, etc.) 3rd party sources or generate comprehensive "release" source archives with all dependencies.

Thanks.

@torkelo
Copy link
Member

torkelo commented May 15, 2016

Github source tar has never been 100% comprehensive, Grafana has always required "npm install" to build (like most web apps)

@torkelo torkelo closed this as completed May 15, 2016
@onlyjob
Copy link
Contributor Author

onlyjob commented May 15, 2016

This is a practical problem... I hope you could give it some attention or thoughts. Denial does not help you know, and problem does not magically disappear by closing bug without an action...
FYI it was possible to build 2.6.0 from source tarball without downloading anything...

This problem blocks upload of updated package.

@torkelo
Copy link
Member

torkelo commented May 15, 2016

Bug?? No its not possible to build 2.6 without npm install. Grafana requires npm modules to build it has always, it is almost always a bad idea have node modules checked into source.

You can build a source package but you need to build the front end using the grunt build system, the frontend build requires hundred of node modules

@onlyjob
Copy link
Contributor Author

onlyjob commented May 16, 2016

No its not possible to build 2.6 without npm install.

But it is possible. That's how current Debian package is made -- without npm.
Sources are there and compiling stylesheets is easy with lessc provided by operating system.
node-typescript (/usr/bin/tsc) is also available so only sources are needed to build fully functional Grafana package.

With 3.0.1 this is no longer possible because not all sources are included. I'm not suggesting to commit compilers or packaging tools, only sources that required to build Grafana.
See example of problem in #5044.

@torkelo
Copy link
Member

torkelo commented May 16, 2016

@onlyjob that will at most create an un-optimized development build of the frontend, not a true minified concatenated frontend that is has gone through all the asset optimization pipelines.

@onlyjob
Copy link
Contributor Author

onlyjob commented May 16, 2016

Minification is easy to do (there are tools to choose from) but I believe minification is overrated (see #4006). Anyway minification is another (unrelated) issue...

@torkelo
Copy link
Member

torkelo commented May 16, 2016

@onlyjob minification is only one minor part,

the whole process is here:
https://github.com/grafana/grafana/blob/master/tasks/build_task.js

@Glandos
Copy link

Glandos commented Jul 29, 2017

Maybe everyone that land here know it, but this issue is related to trust.
Using npm install during the installation process is fine, as long as you don't need trust. NPM has proven its unreliabilty as a central repository.
Moreover, using a Internet connection in the building process makes reproducible builds impractible.
All in all, trust is why people are using Debian packages from the main repository: they can be trusted more than any other. And installing package from any other sources implies less trusty packages, and more complicated installation process.

I know this does not really help, because what we really need is to package the two dozens of npm librairies needed by grafana into Debian. But I thought it should be said. I a fan of grafana, and I'll be delighted to see it back and up to date in Debian.

@Glandos
Copy link

Glandos commented Jan 8, 2018

Please read https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
We need to have a comprehensive list of packages installed. With their hashed values at least.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants