-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs cleanup #569
base: main
Are you sure you want to change the base?
docs cleanup #569
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since modifications are being done to the file, the PR feels a bit incomplete in that it's worth checking what information still applies, otherwise we'd be still publishing inaccurate and misleading data, which in essence, yes, was still completely wrong with the original file but was also kind of tolerable with the old cachito mentions since the file was inherently inaccurate as a whole; we should avoid that with its update/conversion to cachi2.
To support my argument a bit more, we also have this sentence in the doc:
"Cachi2 never executes your code, or the code of any of your dependencies. What about your build?"
Which in hindsight is a very bold statement in general, because hey, it's only ever going to be best effort given the inherently ever-present bugs :) and is also not true with Yarn v3 where we enabled the 'exec' plugin just to get some more essential plugins working with builds with the hope that it wouldn't ever lead to arbitrary code execution (which at the time of adding it wasn't the case, but who knows, maybe future versions of Yarn v3 will change that underneath without us even knowing...)
Maybe I would throw away the whole section of package managers, and then we would need to edit the docs in 2 places, which it seems no one did, and that's why it stayed like that. |
Sorry for not getting back. Yeah, agreed on the inconsistency. I still think there's value in explaining the background story, but we should maintain this information in the respective package manager's doc and only link to that piece of information from this document, do you agree? @slimreaper35 can we reopen this? I don't think the discussion here should be abandoned. |
I also got an idea if it is not better to select the most relevant parts and put them in the main README.md. Contributors or users would get the background story straight away. |
That is also an acceptable option. Still, package manager related bits would still need to be moved to the respective docs. Hmm, maybe not actually, maybe it could be all within README, just spread across multiple sections and linked together. |
There is also another outdated document that was copied from Cachito. |
Agreed, an SBOM section should be added to the main README file for now unless we have an extensive contents for this to be put in a standalone doc and this one should be dropped - I don't think we'll concern ourselves with content manifests other than what SBOM provides. |
So this is version 2. |
so do you plan on extracting the package manager bits and moving them to the respective docs because right now it still looks confusing especially since you left the 'cachito' references in. |
docs/dependency_confusion.md
Outdated
[cachito-1]: https://github.com/containerbuildsystem/cachito | ||
## pip | ||
|
||
*TL;DR: if your package is Cachito compliant, it is most likely safe. If you want to be sure, verify |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you left the package managers paragraphs in, but we still mention cachito here, that's confusing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am still figuring out what to put there because I don't want to include general statements that should be part of the regular documentation. Anyway, I dropped those paragraphs so it is less confusing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note you can't just remove content for your convenience if it doesn't fit the immediate intention like in this PR, because we'd lose legitimate content too (and we'd have to revert the change in the future). IOW part of dropping references to the original cachito code base is also finding new home to the information that still applies instead of just outright deleting it, leaving it for a potential future follow up, that's not how things should be done. IMO it's better to have more-or-less updated content with some inaccuracies which anyone willing to do so can identify and fix than no content at all and so I didn't go too deep into our code to verify every single sentence in those paragraphs, but as I outlined in my comments, much of the information is still valid and so I'd imagine these bits to be moved to the respective package manager docs to a section clearly denoting the dependency confusion matter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I turned it back to its original state. It's not a high priority now, so I'll leave it like that.
I still don't know what should be in the package manager section; my intention is to avoid general notes that are part of the regular documentation. So, later on, we don't have to adjust docs at multiple places.
a13f340
to
0b1bff2
Compare
80e8c1e
to
7fa142e
Compare
docs/dependency_confusion.md
Outdated
- package manager for Go | ||
- lock file: `go.sum` | ||
- [docs/gomod.md](https://github.com/containerbuildsystem/cachi2/tree/main/docs/gomod.md) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you remove the whole dependency-related content from the respective package manager sections, what is the actual value of having these like you propose at all?
> must be | ||
> [pinned](https://github.com/release-engineering/cachito/blob/master/docs/pip.md#pinning-versions) | ||
> to an exact version. Cachito will refuse to process requirements files that use the --index-url or | ||
> --extra-index-url options, which means private registries are out of the question. These two |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So for pip, apart from index-url
everything else should be more or less true even now for cachi2.
> *TL;DR: do not use unofficial registries. Even if you try to do so via .npmrc, Cachito will ignore | ||
> it.* | ||
> | ||
> Npm packages follow the typical package file + lock file approach. The package file is | ||
> [package.json](https://docs.npmjs.com/cli/v6/configuring-npm/package-json), the lock file is | ||
> [package-lock.json](https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json) or | ||
> [npm-shrinkwrap.json](https://docs.npmjs.com/cli/v6/configuring-npm/shrinkwrap-json). Cachito | ||
> requires the lock file. | ||
> | ||
> The lock file pins all dependencies to exact versions. For https dependencies, which are impossible | ||
> to pin, Cachito requires the integrity value (a checksum). For dependencies from the npm registry, | ||
> Cachito does not require integrity values, but newer versions of npm will always include them. Check | ||
> if all your dependencies have an integrity value, update your lock file if not. | ||
> | ||
> Do not try to use private registries. If you point npm to a private registry (or any registry other | ||
> than the official one) via [.npmrc](https://docs.npmjs.com/cli/v6/configuring-npm/npmrc), Cachito | ||
> will ignore it and look in the official registry anyway. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we've made any distinctive changes to NPM after porting the code from cachito, so I guess it's still valid.
docs/dependency_confusion.md
Outdated
### yarn | ||
|
||
[cachito-1]: https://github.com/containerbuildsystem/cachito | ||
- package manager for JavaScript | ||
- lock file: `yarn.lock` | ||
- [docs/yarn.md](https://github.com/containerbuildsystem/cachi2/tree/main/docs/npm.md) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not an adequate replacement because you just replaced Yarn v1 content (which we don't support yet) with a reference to our Yarn v2+ docs (indended, in reality you linked NPM instead).
docs/dependency_confusion.md
Outdated
[cachito-1]: https://github.com/containerbuildsystem/cachito | ||
## pip | ||
|
||
*TL;DR: if your package is Cachito compliant, it is most likely safe. If you want to be sure, verify |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note you can't just remove content for your convenience if it doesn't fit the immediate intention like in this PR, because we'd lose legitimate content too (and we'd have to revert the change in the future). IOW part of dropping references to the original cachito code base is also finding new home to the information that still applies instead of just outright deleting it, leaving it for a potential future follow up, that's not how things should be done. IMO it's better to have more-or-less updated content with some inaccuracies which anyone willing to do so can identify and fix than no content at all and so I didn't go too deep into our code to verify every single sentence in those paragraphs, but as I outlined in my comments, much of the information is still valid and so I'd imagine these bits to be moved to the respective package manager docs to a section clearly denoting the dependency confusion matter.
This file does not store relevant information about cachi2. (It was copied from cachito.) Signed-off-by: Michal Šoltis <[email protected]>
This file is extremely outdated, specifically section about package managers is incomplete and misleading. Let's refactor and simplify the whole document into three sections: 1. what is actually dependency confusion 2. how cachi2 fights against dependency confusion attacks 3. specific information regarding supported package managers Signed-off-by: Michal Šoltis <[email protected]>
Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test
(as is the standard for Pipelines as Code)