zap
zap copied to clipboard
project-chip
Include Steps To "development-instructions.md" For Building "zap-cli"
References: https://github.com/project-chip/zap/blob/master/docs/development-instructions.md Steps: https://github.com/project-chip/zap/issues/977#issuecomment-1487387514
Current method partially yoinked from https://github.com/project-chip/zap/blob/master/.github/workflows/release.yml#L220
Result: Every run of zap-cli: Could not retrieve version from .version.json
EDIT0: A quick thought just came to me that I'm about to test... npm run version-stamp
EDIT1: Yeah, looks like that was it. First thing I ran and a "find" showed the file. Now to see if it gets incorporated after the rest of my steps (which I expect it will).
EDIT2: Yup, that was the only step I was missing:
$ ./zap-cli --version
Version: 2023.3.27
Feature level: 94
Hash: 15f96c4f997301da1174ef29156c1c7d442f5d44
Date: 2023-03-27T17:20:50.000Z
Mode: binary
Executable: ./zap-cli
the binaries are on GitHub
I would hardly consider that a "fix" to the "issue" paulr34. For you and any other maintainer, I'll remind everyone of how XZ went down: https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know.
Now, I'll grant that it wasn't a binary they included in their repo, but rather obfuscating the bootstrap into the code. But with the source code, it'd be easier to sniff out questionable code over a suspect maintainer pushing a binary. Not to mention performance customizations that can be had by building the binaries yourself.
My hope (not knowing the process for github "releases") is that a maintainer wouldn't just be able to release any old binary, but would be limited to it automatically being built by github for said repo. But then I could see a corrupt maintainer pushing a source change (containing an exploit), generating a release, then rolling back the change, resulting in the release binary still being listed.
But I had already moved on, after figuring it out myself anyway.