Create a bazel rule to print Envoy's dependencies#5049
Create a bazel rule to print Envoy's dependencies#5049dprotaso wants to merge 2 commits intoenvoyproxy:masterfrom
Conversation
dprotaso
force-pushed
the
master
branch
2 times, most recently
from
0066854 to
b0e7c96
Compare
|
Trying to under the context more: |
|
Sample output is here:
I'm trying to help facilitate OSS license scanning of Envoy & it's dependencies. The script produces an artifact that should be consumable by an automated process. |
|
For example the Istio project currently scans it's go dependencies and discloses it here This PR will enable similar scanning and disclosure for Envoy and its dependencies. |
|
Looks like I overlooked Is there a reason why this isn't in the root |
|
From Slack yesterday, the 4 locations for dependencies are
|
|
Highly recommend folks who haven't to take a look at #bazel on Slack from yesterday that @moderation points to, this is where we went over the context. |
dprotaso
changed the title
dprotaso
force-pushed
the
master
branch
5 times, most recently
from
74a25b2 to
6d651a4
Compare
dprotaso
changed the title
|
@moderation @htuch I've made updates - do you mind taking a look?
I also opt'd not to touch |
If this is the purpose, why do you need git repo / SHA for every dependency? The download tar ball should have LICENSE{.txt} file in it, so you can inspect from there. The downloaded tar ball is where we consume dependency so it should be single source of truth. Also take a look at the result of |
The main intent here is to capture all dependencies including the build recipes
Yeah ideally, we'd scan the source tarball. Some thoughts on why the repo/sha might still be relevant.
|
dprotaso
force-pushed
the
master
branch
2 times, most recently
from
61c1914 to
1eceacc
Compare
dprotaso
changed the title
I meant your script can utilize the output, without scraping everything else than |
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
Looks really nice now, I think this looks right structurally.
| strip_prefix = "protobuf-" + GOGOPROTO_RELEASE, | ||
| url = "https://github.com/gogo/protobuf/archive/v" + GOGOPROTO_RELEASE + ".tar.gz", | ||
| build_file_content = """ | ||
| GOGOPROTO_BUILD_CONTENT = """ |
There was a problem hiding this comment.
Should this be at the top next to the other build content defs? Or should they all be next to their consuming sites? Either is good, as long as we are consistent.
| RECIPE_VERSIONS_FILE = 'ci/build_container/build_recipes/versions.sh' | ||
|
|
||
|
|
||
| # parseRecipeDetails will extact a build_recipe version |
|
|
||
| # expandVars will replace references to environment | ||
| # variables in the given 'value' string | ||
| def expandVars(value): |
There was a problem hiding this comment.
Nit: not sure it's worth providing a wrapper for this..
|
|
||
| GPERFTOOLS_VERSION=2.7 | ||
| GPERFTOOLS_TAG=gperftools-$GPERFTOOLS_VERSION | ||
| GPERFTOOLS_FILE_URL=https://github.com/gperftools/gperftools/releases/download/$GPERFTOOLS_TAG/$GPERFTOOLS_TAG.tar.gz |
There was a problem hiding this comment.
Nit: Google style requires X="$Y" when you are expanding out variables, so best to just do this everywhere in this file.
| ZLIB_VERSION=1.2.11 | ||
| ZLIB_FILE_URL=https://github.com/madler/zlib/archive/v$ZLIB_VERSION.tar.gz | ||
| ZLIB_FILE_SHA256=629380c90a77b964d896ed37163f5c3a34f6e6d897311f1df2a7016355c45eff | ||
| ZLIB_FILE_PREFIX=zlib-$ZLIB_VERSION |
There was a problem hiding this comment.
I've probably already mentioned this, but you could just make this a .py with a giant dictionary and a CLI driver that takes a single arg, which is the dep name. Then in the scripts, you can do $(versions.py zlib) in the build recipes when you want the zlib URL. It's slightly cleaner as you don't need to scrape as you do in the print recipes script using regexes, you could directly import.
There was a problem hiding this comment.
You did mention it - I'll make the change it'll clean things up
| loc_key = kwargs.pop("repository_key", name) | ||
| location = repository_locations[loc_key] | ||
|
|
||
| # Git tags are mutable. We want to depend on commit IDs instead. Give the |
There was a problem hiding this comment.
I think git repositories are already disabled so we can remove this.
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
stale
bot
added
the
stale
|
Going to pick this up again once #5218 is merged |
stale
bot
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
stale
bot
added
the
stale
stale
bot
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
stale
bot
added
the
stale
|
This pull request has been automatically closed because it has not had activity in the last 14 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
htuch
added
no stalebot
|
Reopened, while we wait for external cmake support. |
|
Wooooooo
…On Wed, Jan 30, 2019 at 17:13 htuch ***@***.***> wrote:
@dprotaso <https://github.com/dprotaso> #5218
<#5218> has merged.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5049 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABIgquTsDwxxNGZqY8AoaBgIfdAYJQAks5vIhkAgaJpZM4Yf9h_>
.
|
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
stale
bot
added
the
stale
|
This pull request has been automatically closed because it has not had activity in the last 14 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
5 participants
Description:
Simply invoke the run rule as follows:
Or the python script directly (from project root):
Risk Level:
Low
Testing:
I tested the changes by invoking the script
ci/build_container/docker_build.shDocs Changes:
None
Release Notes:
None.
Additional Notes
For build recipes there was a debate in slack about whether to fetch the GitHub autogenerated source tarballs or if possible one's provided by the maintainer in a release. Based on the opinions I opt'd the leave everything the same.
If we were to always fetch via autogenerated source tarballs using the git sha this would simplify the build scripts. I don't have preference just an FYI for others.
This was my original approach in an older branch that you can see here:
Versions file:
https://github.com/dprotaso/envoy/blob/9474cf3290020464e4fe31df7fcf236cd155d630/ci/build_container/build_recipes/versions.sh
Example script:
https://github.com/dprotaso/envoy/blob/9474cf3290020464e4fe31df7fcf236cd155d630/ci/build_container/build_recipes/benchmark.sh