undici icon indicating copy to clipboard operation
undici copied to clipboard

Published 20 hours ago verified publisher icon nodejs

Undici builds in Node 20.3.0 are non-repeatable

Open sgallagher opened this issue 1 year ago • 4 comments

Bug Description

The change introduced by 3c514d8d98b3887db165b0ace3014a9c6ad0dfb9 removes the ability to reproduce the wasi-sdk sources from the Node.js deliverables.

Reproducible By

In Fedora, we require that all of the sources for the software we deliver are available. Prior to this change, it was possible for us to interrogate the undici Dockerfile in order to identify which version of wasi-sdk was in use by Node.js so we could download the pristine sources from https://github.com/WebAssembly/wasi-sdk/releases/. After this change, there is no way that I can determine for identifying the actual provenance of these sources.

Expected Behavior

The exact version of the wasi-sdk sources that are bundled in the undici tarball needs to be readily-discoverable somewhere.

Logs & Screenshots

Up until Node.js 20.3.0, it was possible to scrape this information from the Dockerfile, as done here. While this was not ideal (best would be for the project to make a clear statement about the bundled versions), it was sufficient for our needs.

Environment

Fedora 37, 38 Node.js 20.3.0

Additional context

sgallagher avatar Jun 13 '23 00:06 sgallagher

PR welcome

ronag avatar Jun 13 '23 03:06 ronag

@ronag I'm interested in helping to move the overall project towards more repeatable builds. I'm thinking we should have some sort of pattern that is recommended for building WASM across the Node.js project.

Before I start looking at that I'd just like to confirm that makes sense to you and you think @undici would be open to accepting a PR to adopt what we come up with

@nodejs/security-wg FYI as I think this could be one part of the work related to improving how we build/pull in dependencies now that we have the initial automation done.

mhdawson avatar Jun 13 '23 13:06 mhdawson

SGTM!

ronag avatar Jun 13 '23 13:06 ronag

https://github.com/nodejs/undici/pull/2168 was a first step and has landed. I checked that from what I can see the info should propagate into the Node.js tree one the next undici update. @ronag do you know when the next release might happen?

The next step I think is to consider consolidating the way we build WASM across components and have shared some initial thoughts in https://github.com/nodejs/security-wg/issues/1037#issuecomment-1603393051

mhdawson avatar Jun 28 '23 21:06 mhdawson