Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check in the dart pub lockfile in tree #2157

Closed
wants to merge 1 commit into from
Closed

check in the dart pub lockfile in tree #2157

wants to merge 1 commit into from

Conversation

selfisekai
Copy link

this package provides an executable, and as such should contain the lockfile

@selfisekai
check in the dart pub lockfile in tree
f49c833 
this package provides an executable, and as such should contain
the lockfile
@ntkme
Copy link
Contributor

ntkme commented Dec 30, 2023

#1948 (comment)

@selfisekai
Copy link
Author

that goes against distro policies that are in place so we know what we're actually building and shipping to users. lockfiles include checksums of the dependencies used

@ntkme
Copy link
Contributor

ntkme commented Dec 30, 2023

I don't think check this in is the right solution, as it adds more problem to development and testing.

A better solution would be to add a pubspec.lock as release artifact. The release procedure would be:

  1. Generate a pubspec.lock, upload as the action artifact.
  2. Download from action artifact, build for each architecture with the same pubspec.lock.
  3. Upload pubspec.lock as a release artifact.

@nex3
Copy link
Contributor

nex3 commented Jan 2, 2024

@selfisekai What's the specific goal of having a pubspec.lock file? Is it to ensure you're using some notion of "the same" dependency versions as a given Dart Sass release? Because not all installation methods use those same versions—anyone installing via pub or Homebrew are only guaranteed a compatible dependency constellation, per semver. Nor do we do any particular verification of the checksums—we just trust the GitHub Actions VM's HTTPS connection to pub.dev, so I'm not sure they provide any particular value beyond the checksums you'd get by constructing a pubspec.lock manually.

If this is still very important, I suppose there's no harm in uploading a lockfile along with the release, but I'm not sure it'll actually provide any material benefits beyond what you'd get by creating one yourself.

@nex3 nex3 added the needs info label Jan 2, 2024
@selfisekai
Copy link
Author

What's the specific goal of having a pubspec.lock file?

reproducible builds (versions and checksums pinned, so builds are not changed by dependency's new release or a swap). from the most practical side tho, we have to rebuild packages regularly (e.g. with new dart release). a lockfile just limits the possibilities of other, possibly breaking changes

so I'm not sure they provide any particular value beyond the checksums you'd get by constructing a pubspec.lock manually.

not separately maintaining a >600 lines file that has to be updated on version bumps

@ntkme
Copy link
Contributor

ntkme commented Jan 3, 2024
edited
Loading

To provide a bit more context. @selfisekai a maintainer of alpine-linux. They have they own packaging of dart-sdk and dart-sass that is different from https://github.com/dart-musl/dart and the linux-musl package we ship.

This is https://github.com/dart-musl/dart:

/ # ldd /usr/lib/dart/bin/dart
	/lib/ld-musl-aarch64.so.1 (0xffff8b6f0000)
	libc.musl-aarch64.so.1 => /lib/ld-musl-aarch64.so.1 (0xffff8b6f0000)

This is dart-sdk from alpine-linux:

/ # ldd /usr/bin/dart
	/lib/ld-musl-aarch64.so.1 (0xffffac9f9000)
	libz.so.1 => /lib/libz.so.1 (0xffffaa53e000)
	libicuuc.so.74 => /usr/lib/libicuuc.so.74 (0xffffaa34b000)
	libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xffffaa0a6000)
	libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0xffffaa075000)
	libc.musl-aarch64.so.1 => /lib/ld-musl-aarch64.so.1 (0xffffac9f9000)
	libicudata.so.74 => /usr/lib/libicudata.so.74 (0xffffaa055000)

The main difference is that https://github.com/dart-musl/dart is optimized for compatibility and portability that all libraries except musl-libc are bundled. It is the same way like the official dart-sdk that all libraries except glibc are bundled.

The dart-sdk shipped with alpine-linux is optimized for binary size, that it is dynamically linked with dependencies libraries. The dart-sass package that alpine-linux ships is also optimized for binary size, that the package is effectively only an aot-snapshot and a shell script. The dart-sass package from alpine-linux does not ship any dart runtime by itself, as the shell script just runs the dart runtime provided by the dart-sdk package. - Therefore if the dart-sdk package gets an update, the dart-sass package would need a rebuild, because aot-snapshot is sdk version dependent. - I think what @selfisekai is looking for is that each time dart-sass is rebuild for a new sdk version it would get the same dependency.

@ntkme
Copy link
Contributor

ntkme commented Jan 3, 2024
edited
Loading

@selfisekai Question for you is that, what's the issue with the approach that you already have pubspec.lock checked-in in aports?

https://git.alpinelinux.org/aports/tree/testing/dart-sass/lock.patch

This should already give you “reproducible” builds. If your goal is to provide a build that is same as what we've released here in this repo, I have to remind you we don't rebuild dart-sass release when new dart-sdk is available, so even if you have pubspec.lock it is not going to be the same (there is no guarantee that new sdks won't break things).

@nex3
Copy link
Contributor

nex3 commented Jan 3, 2024

Yeah, that's the thing—I don't think checking in pubspec.lock (or uploading it as a build artifact) materially makes builds any more "reproducible" than storing a pubspec.lock yourself. It would allow you to use the same constellation of dependencies that we use for some of our releases of a given version of Dart Sass, but even that is contingent (in that we don't necessarily use those dependencies for pub or Homebrew releases) and coincidental (in that we don't consider that set of dependencies canonical and they undergo no special vetting).

@selfisekai
Copy link
Author

it does not, it's just about the fact of maintaining it separately

@nex3
Copy link
Contributor

nex3 commented Jan 4, 2024

If this is just for convenience, I'd prefer to avoid checking in the lockfile.

@nex3 nex3 closed this Jan 4, 2024
Friendly-users added a commit to Friendly-users/dart-sass that referenced this pull request Jun 28, 2024
@Friendly-users
No politics or offense in public code.
f3610aa 
-----
It is inappropriate to include political and offensive content in public code repositories.

Public code repositories should be neutral spaces for collaboration and community, free from personal or political views that could alienate or discriminate against others. Political content, especially that which targets or disparages minority groups, can be harmful and divisive. It can make people feel unwelcome and unsafe, and it can create a hostile work environment.

Please refrain from adding such content to public code repositories.
---

sass#2000 sass#2001 sass#2002 sass#2003 sass#2004 sass#2005 sass#2006 sass#2007 sass#2008 sass#2009 sass#2010 sass#2011 sass#2012 sass#2013 sass#2014 sass#2015 sass#2016 sass#2017 sass#2018 sass#2019 sass#2020 sass#2021 sass#2022 sass#2023 sass#2024 sass#2025 sass#2026 sass#2027 sass#2028 sass#2029 sass#2030 sass#2031 sass#2032 sass#2033 sass#2034 sass#2035 sass#2036 sass#2037 sass#2038 sass#2039 sass#2040 sass#2041 sass#2042 sass#2043 sass#2044 sass#2045 sass#2046 sass#2047 sass#2048 sass#2049 sass#2050 sass#2051 sass#2052 sass#2053 sass#2054 sass#2055 sass#2056 sass#2057 sass#2058 sass#2059 sass#2060 sass#2061 sass#2062 sass#2063 sass#2064 sass#2065 sass#2066 sass#2067 sass#2068 sass#2069 sass#2070 sass#2071 sass#2072 sass#2073 sass#2074 sass#2075 sass#2076 sass#2077 sass#2078 sass#2079 sass#2080 sass#2081 sass#2082 sass#2083 sass#2084 sass#2085 sass#2086 sass#2087 sass#2088 sass#2089 sass#2090 sass#2091 sass#2092 sass#2093 sass#2094 sass#2095 sass#2096 sass#2097 sass#2098 sass#2099 sass#2100 sass#2101 sass#2102 sass#2103 sass#2104 sass#2105 sass#2106 sass#2107 sass#2108 sass#2109 sass#2110 sass#2111 sass#2112 sass#2113 sass#2114 sass#2115 sass#2116 sass#2117 sass#2118 sass#2119 sass#2120 sass#2121 sass#2122 sass#2123 sass#2124 sass#2125 sass#2126 sass#2127 sass#2128 sass#2129 sass#2130 sass#2131 sass#2132 sass#2133 sass#2134 sass#2135 sass#2136 sass#2137 sass#2138 sass#2139 #2140 sass#2141 sass#2142 sass#2143 sass#2144 sass#2145 sass#2146 sass#2147 sass#2148 sass#2149 sass#2150 sass#2151 sass#2152 sass#2153 sass#2154 sass#2155 sass#2156 sass#2157 sass#2158 sass#2159 sass#2160 sass#2161 sass#2162 sass#2163 sass#2164 sass#2165 sass#2166 sass#2167 sass#2168 sass#2169 sass#2170 sass#2171 sass#2172 sass#2173 sass#2174 sass#2175 sass#2176 sass#2177 sass#2178 sass#2179 sass#2180 sass#2181 sass#2182 sass#2183 sass#2184 sass#2185 sass#2186 sass#2187 sass#2188 sass#2189 sass#2190 sass#2191 sass#2192 sass#2193 sass#2194 sass#2195 sass#2196 sass#2197 sass#2198 sass#2199 sass#2200 sass#2201 sass#2202 sass#2203 sass#2204 sass#2205 sass#2206 sass#2207 sass#2208 sass#2209 sass#2210 sass#2211 sass#2212 sass#2213 sass#2214 sass#2215 #2216 sass#2217 sass#2218 sass#2219 sass#2220 sass#2221 sass#2222 sass#2223 sass#2224 sass#2225 sass#2226 sass#2227 sass#2228 sass#2229 sass#2230 sass#2231 sass#2232 sass#2233 sass#2234 sass#2235 sass#2236 sass#2237 sass#2238 sass#2239 sass#2240 sass#2241 sass#2242 sass#2243 sass#2244 sass#2245 sass#2246 sass#2247 sass#2248 sass#2249 sass#2250 sass#2251 sass#2252 sass#2253 sass#2254 sass#2255 sass#2256 sass#2257 sass#2258 sass#2259 sass#2260 sass#2261 sass#2262 sass#2263 sass#2264 sass#2265 sass#2266 sass#2267 sass#2268 sass#2269 sass#2270
Friendly-users added a commit to Friendly-users/dart-sass that referenced this pull request Jul 2, 2024
@Friendly-users
No politics or offense in public code.
72b1d89 
-----
It is inappropriate to include political and offensive content in public code repositories.

Public code repositories should be neutral spaces for collaboration and community, free from personal or political views that could alienate or discriminate against others. Political content, especially that which targets or disparages minority groups, can be harmful and divisive. It can make people feel unwelcome and unsafe, and it can create a hostile work environment.

Please refrain from adding such content to public code repositories.
---

sass#2000 sass#2001 sass#2002 sass#2003 sass#2004 sass#2005 sass#2006 sass#2007 sass#2008 sass#2009 sass#2010 sass#2011 sass#2012 sass#2013 sass#2014 sass#2015 sass#2016 sass#2017 sass#2018 sass#2019 sass#2020 sass#2021 sass#2022 sass#2023 sass#2024 sass#2025 sass#2026 sass#2027 sass#2028 sass#2029 sass#2030 sass#2031 sass#2032 sass#2033 sass#2034 sass#2035 sass#2036 sass#2037 sass#2038 sass#2039 sass#2040 sass#2041 sass#2042 sass#2043 sass#2044 sass#2045 sass#2046 sass#2047 sass#2048 sass#2049 sass#2050 sass#2051 sass#2052 sass#2053 sass#2054 sass#2055 sass#2056 sass#2057 sass#2058 sass#2059 sass#2060 sass#2061 sass#2062 sass#2063 sass#2064 sass#2065 sass#2066 sass#2067 sass#2068 sass#2069 sass#2070 sass#2071 sass#2072 sass#2073 sass#2074 sass#2075 sass#2076 sass#2077 sass#2078 sass#2079 sass#2080 sass#2081 sass#2082 sass#2083 sass#2084 sass#2085 sass#2086 sass#2087 sass#2088 sass#2089 sass#2090 sass#2091 sass#2092 sass#2093 sass#2094 sass#2095 sass#2096 sass#2097 sass#2098 sass#2099 sass#2100 sass#2101 sass#2102 sass#2103 sass#2104 sass#2105 sass#2106 sass#2107 sass#2108 sass#2109 sass#2110 sass#2111 sass#2112 sass#2113 sass#2114 sass#2115 sass#2116 sass#2117 sass#2118 sass#2119 sass#2120 sass#2121 sass#2122 sass#2123 sass#2124 sass#2125 sass#2126 sass#2127 sass#2128 sass#2129 sass#2130 sass#2131 sass#2132 sass#2133 sass#2134 sass#2135 sass#2136 sass#2137 sass#2138 sass#2139 #2140 sass#2141 sass#2142 sass#2143 sass#2144 sass#2145 sass#2146 sass#2147 sass#2148 sass#2149 sass#2150 sass#2151 sass#2152 sass#2153 sass#2154 sass#2155 sass#2156 sass#2157 sass#2158 sass#2159 sass#2160 sass#2161 sass#2162 sass#2163 sass#2164 sass#2165 sass#2166 sass#2167 sass#2168 sass#2169 sass#2170 sass#2171 sass#2172 sass#2173 sass#2174 sass#2175 sass#2176 sass#2177 sass#2178 sass#2179 sass#2180 sass#2181 sass#2182 sass#2183 sass#2184 sass#2185 sass#2186 sass#2187 sass#2188 sass#2189 sass#2190 sass#2191 sass#2192 sass#2193 sass#2194 sass#2195 sass#2196 sass#2197 sass#2198 sass#2199 sass#2200 sass#2201 sass#2202 sass#2203 sass#2204 sass#2205 sass#2206 sass#2207 sass#2208 sass#2209 sass#2210 sass#2211 sass#2212 sass#2213 sass#2214 sass#2215 #2216 sass#2217 sass#2218 sass#2219 sass#2220 sass#2221 sass#2222 sass#2223 sass#2224 sass#2225 sass#2226 sass#2227 sass#2228 sass#2229 sass#2230 sass#2231 sass#2232 sass#2233 sass#2234 sass#2235 sass#2236 sass#2237 sass#2238 sass#2239 sass#2240 sass#2241 sass#2242 sass#2243 sass#2244 sass#2245 sass#2246 sass#2247 sass#2248 sass#2249 sass#2250 sass#2251 sass#2252 sass#2253 sass#2254 sass#2255 sass#2256 sass#2257 sass#2258 sass#2259 sass#2260 sass#2261 sass#2262 sass#2263 sass#2264 sass#2265 sass#2266 sass#2267 sass#2268 sass#2269 sass#2270 sass#2271
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs info
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@selfisekai @ntkme @nex3