Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Track vendored deps for .PKGINFO #721

Merged
merged 1 commit into from
Oct 10, 2023
Merged

Track vendored deps for .PKGINFO #721

merged 1 commit into from
Oct 10, 2023

Conversation

jonjohnsonjr
Copy link
Contributor

If we discover a vendored dependency (outside of libdirs), we will use that to self-satisfy any generated runtime dependencies. Notably, we will not use these vendored dependencies to satisfy any explicitly configured runtime dependencies so that we have an escape hatch for overriding the SCA.

This also adds # vendored = ... comments to .PKGINFO so that we can debug cases that would otherwise appear as a missing runtime dependency.

(Draft for now because I would like to do a dry run of this new logic against existing packages to see if there are any unexpected diffs.)

@jonjohnsonjr
Track vendored deps for .PKGINFO
35149f8 
If we discover a vendored dependency (outside of libdirs), we will use
that to self-satisfy any generated runtime dependencies. Notably, we
will not use these vendored dependencies to satisfy any explicitly
configured runtime dependencies so that we have an escape hatch for
overriding the SCA.

This also adds `# vendored = ...` comments to .PKGINFO so that we can
debug cases that would otherwise appear as a missing runtime dependency.

Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
@jonjohnsonjr jonjohnsonjr marked this pull request as ready for review October 3, 2023 14:54
@jonjohnsonjr
Copy link
Contributor Author

jonjohnsonjr commented Oct 3, 2023
edited
Loading

I am pretty comfortable with this change. I ran against wolfi HEAD last night and produced https://gist.github.com/jonjohnsonjr/4cb59e0503cd16d064184d0b82c20050

There are a handful of things that seem off, filed wolfi-dev/os#6199 for those.

Packages that will have vendored things post bump:

  • ssdeep
  • dotnet-7
  • dotnet-6
  • graphene
  • gstreamer
  • libdrm
  • libeconf
  • libpciaccess
  • libpfm
  • libsolv
  • libva
  • libvdpau
  • libvterm
  • libxkbcommon
  • opus
  • unibilium
  • utf8proc

It seems like only the dotnet packages really make sense here and the others will need to be fixed, but the part that removes these libraries from being provided has already landed in melange. This change only removes some of these libraries from being added as depends if SCA detects it but we have a vendored copy already.

@jonjohnsonjr jonjohnsonjr enabled auto-merge October 3, 2023 15:11
@jonjohnsonjr jonjohnsonjr merged commit 2c1195f into chainguard-dev:main Oct 10, 2023
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jonjohnsonjr @imjasonh