Skip to content

Comments

build: Remove bundled protoc and build from source#610

Merged
LucioFranco merged 6 commits intomasterfrom
lucio/vendored
Mar 28, 2022
Merged

build: Remove bundled protoc and build from source#610
LucioFranco merged 6 commits intomasterfrom
lucio/vendored

Conversation

@LucioFranco
Copy link
Member

@LucioFranco LucioFranco commented Mar 25, 2022
edited
Loading

This is an initial attempt to remove bundled binaries from prost-build and to instead compile protobuf from source. This is a much safer approach and reduces prost's vulnerability to supply chain attacks.

Reference #575 (comment) for more information on how this is implemented.

This also adds a test-vendored crate which ensures that vendoring works.

Closes #575

LucioFranco
LucioFranco commented Mar 25, 2022
View reviewed changes
LucioFranco
LucioFranco commented Mar 25, 2022
View reviewed changes
LucioFranco
LucioFranco commented Mar 25, 2022
View reviewed changes
LucioFranco
LucioFranco commented Mar 25, 2022
View reviewed changes
@LucioFranco LucioFranco marked this pull request as ready for review March 28, 2022 18:25
@LucioFranco LucioFranco merged commit fc9fbd9 into master Mar 28, 2022
@LucioFranco LucioFranco deleted the lucio/vendored branch March 28, 2022 20:38
@tmfink tmfink mentioned this pull request Mar 28, 2022
Closed
@tomaka tomaka mentioned this pull request Mar 31, 2022
Merged
@skyzh skyzh mentioned this pull request Apr 4, 2022
Merged
danburkert added a commit to sisudata/prost that referenced this pull request Apr 7, 2022
@danburkert
Revert "build: Remove bundled protoc and build from source (tokio-rs#610
5762c6b 
)"

This reverts commit fc9fbd9.

The bundled protoc is very convenient, particularly for container
builds.
danburkert added a commit to sisudata/prost that referenced this pull request Apr 7, 2022
@danburkert
Revert "build: Remove bundled protoc and build from source (tokio-rs#610
5a11c7b 
)"

This reverts commit fc9fbd9.

The bundled protoc is very convenient, particularly for container
builds.
@agourlay agourlay mentioned this pull request Apr 8, 2022
Merged
@Thomasdezeeuw
Copy link

Thomasdezeeuw commented Apr 11, 2022

I just want to note that this change (I think) requires cmake to be install to build prost, which broke our build pipeline.

@LucioFranco
Copy link
Member Author

LucioFranco commented Apr 11, 2022

@Thomasdezeeuw right, cmake is now a requirement. There is #620 being worked on or you can just bundle the protoc binary yourself (or download it on CI) and provide it in the path to speed up compile times.

@tustvold tustvold mentioned this pull request Apr 16, 2022
Closed
@arctic-alpaca arctic-alpaca mentioned this pull request Apr 25, 2022
Closed
@jvanstraten jvanstraten mentioned this pull request May 26, 2022
Merged
mdrach pushed a commit to sisudata/prost that referenced this pull request Aug 3, 2022
@LucioFranco @mdrach
build: Remove bundled protoc and build from source (tokio-rs#610)
e4eeead
mdrach pushed a commit to sisudata/prost that referenced this pull request Aug 3, 2022
@danburkert @mdrach
Revert "build: Remove bundled protoc and build from source (tokio-rs#610
dd1914f 
)"

This reverts commit fc9fbd9.

The bundled protoc is very convenient, particularly for container
builds.
mdrach pushed a commit to sisudata/prost that referenced this pull request Aug 4, 2022
@danburkert @mdrach
Revert "build: Remove bundled protoc and build from source (tokio-rs#610
a22145a 
)"

This reverts commit fc9fbd9.

The bundled protoc is very convenient, particularly for container
builds.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Supply chain security with embedded protoc binaries

2 participants

@LucioFranco @Thomasdezeeuw