Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor vendoring to allow validating vendoring is reproducible #7285

Merged
merged 1 commit into from
Dec 15, 2023
Merged

Refactor vendoring to allow validating vendoring is reproducible #7285

merged 1 commit into from
Dec 15, 2023

Conversation

segiddins
Copy link
Member

@segiddins segiddins commented Dec 15, 2023
edited

Helps ensure that unsuspecting diffs to the vendored code arent accidentally introduced

What was the end-user or developer problem that led to this PR?

Changes to vendored code are hard to review, and it would be easy for a change to be slipped in that isn't actually from upstream. I deem this to be an attack vector, and one that we don't need to have.

What is your fix for the problem, implemented in this PR?

Make the vendoring process idempotent, so we can (in CI) check that re-vendoring from upstream does not introduce any diffs.

As a part of that, use bundler to do the fetching & unpacking, so we can piggy-back off of its caching & parallel installation & checksum validation.

Make sure the following tasks are checked

@segiddins
Refactor vendoring to allow validating vendoring is reproducible
7c425d4 
Helps ensure that unsuspecting diffs to the vendored code arent accidentally introduced
@segiddins segiddins force-pushed the segiddins/verify-vendored-code branch from a698cb0 to 7c425d4 Compare December 15, 2023 10:16
deivid-rodriguez
deivid-rodriguez approved these changes Dec 15, 2023
View reviewed changes
Copy link
Member

@deivid-rodriguez deivid-rodriguez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow. This is freaking awesome, I'm speechless :)

simi
simi approved these changes Dec 15, 2023
View reviewed changes
Copy link
Member

@simi simi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Massive!

@simi simi merged commit 3f249dd into master Dec 15, 2023
80 checks passed
@simi simi deleted the segiddins/verify-vendored-code branch December 15, 2023 14:48
deivid-rodriguez pushed a commit that referenced this pull request Dec 15, 2023
@simi @deivid-rodriguez
Merge pull request #7285 from rubygems/segiddins/verify-vendored-code
742b795 
Refactor vendoring to allow validating vendoring is reproducible

(cherry picked from commit 3f249dd)
matzbot pushed a commit to ruby/ruby that referenced this pull request Dec 16, 2023
@segiddins @hsbt
Partly pick commit from rubygems/rubygems#7285
f4e9336 
  Refactor vendoring to allow validating vendoring is reproducible

  Helps ensure that unsuspecting diffs to the vendored code arent accidentally introduced
@deivid-rodriguez deivid-rodriguez mentioned this pull request Dec 19, 2023
Merged
4 tasks
@nurse nurse mentioned this pull request Feb 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simi simi simi approved these changes

@deivid-rodriguez deivid-rodriguez deivid-rodriguez approved these changes

@hsbt hsbt Awaiting requested review from hsbt

Assignees
No one assigned
Labels
bundler: skip changelog rubygems: skip changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@segiddins @simi @deivid-rodriguez