Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Projects that have dynamic names don't work #22

Open
pmonks opened this issue Oct 30, 2018 · 8 comments
Open

Projects that have dynamic names don't work #22

pmonks opened this issue Oct 30, 2018 · 8 comments

Comments

@pmonks
Copy link

pmonks commented Oct 30, 2018
edited
Loading

We have a single project (fn-fx) that emits two separate artifacts, under different names:

  1. https://clojars.org/fn-fx/fn-fx-javafx
  2. https://clojars.org/fn-fx/fn-fx-openjfx11

It appears that versions doesn't handle that properly, as our dependency status badge is no longer functional:

Dependencies Status

Note: this may be another symptom of issue #5.
pmonks added a commit to fn-fx/fn-fx that referenced this issue Oct 30, 2018
@pmonks
📚 Tweak language and comment out broken dependency badge
3b41a4c 
See deps-app/versions#22 for the issue regarding the dependency badge.
@pmonks pmonks mentioned this issue Oct 30, 2018
Merged
@danielcompton
Copy link
Member

Ouch, yeah the trouble with this is that the project.clj parser doesn't execute any code which is what's needed here to distinguish between the two versions. Will have to noodle on this further.

@pmonks
Copy link
Author

pmonks commented Nov 9, 2018

Here's a possible idea (that may be completely off base, so feel free to shoot it down if it clearly won't work):

Instead of trying to read project.clj files as static data structures, why not just run a leiningen plugin that checks dependencies and updates whatever data structure(s) the versions front end uses? That way you can leverage all of leiningen's built-in magic for "free".

This might even be as simple as just running something like lein-ancient, and then twizzling the output a bit.

@danielcompton
Copy link
Member

The issue with reading it via a Leiningen plugin is that that causes arbitrary code to be executed. The trick is doing this safely. If I just do this on the Heroku server then I will have arbitrary code execution on the same server, not ideal...

To solve this in the general case I think you'd need to use something like Lambda or a similar isolated code execution environment.

@pmonks
Copy link
Author

pmonks commented Nov 14, 2018

You could execute the leiningen + custom plugin in a container, then throw it away as soon as it's done. The only thing that would survive the container would be whatever data the custom plugin emits (project name, version, dependency graph, etc.). Given that you control the plugin, there's almost no risk of arbitrary code somehow "escaping" the container.

This is how services that are fundamentally based on arbitrary code execution (e.g. TravisCI) handle this kind of thing.

@danielcompton
Copy link
Member

Yep, that's what I need to do, it's just a tricky problem to solve safely.

@pmonks
Copy link
Author

pmonks commented Nov 15, 2018

Containers provide a safe sandbox in which to execute arbitrary code, and the only component that will be touching the environment outside the container (the custom leiningen plugin) is entirely under your control.

@pmonks
Copy link
Author

pmonks commented Nov 15, 2018

There's even this library to make managing the temporary container easier.

vemv referenced this issue in clojure-emacs/cider-nrepl Feb 2, 2022
@vemv
Upgrade tools.trace
a108788
@vemv
Copy link

vemv commented Feb 2, 2022

For anyone else finding this issue, an alternative approach would be to use the antq lein plugin as a github action, and then self-hosting a badge

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pmonks @danielcompton @vemv