Skip to content

Import paths in burmilla/trash is not updated, still pointing to rancher/trash #58

@h8liu

Description

@h8liu

In the main Dockerfile.dapper (the ubuntu one), it builds and installs burmilla/trash using go get github.com/burmilla/trash. However, import paths in the burmilla/trash repository still points to rancher/trash. As a result, the trash binary will be compiled from both code from burmilla/trash and rancher/trash. If code rancher/trash changes, the build process might break.

This is at least an inconsistency. Do we treat rancher/trash as our official upstream? Or we want to go full branch off and use everything from github.com/burmilla (we can still optionally keep tracking updates on rancher, but we need to update all import path).

Other go-gettable build tools (such as the dapper forked repo) have similar issues.

Another higher level thing is that the build process currently fetches a lot of stuff from the Internet, mostly without checking against any hashes. IMHO, this is a huge reliability -- and even security -- issue. Although most channels and fetching-sources can be considered trustworthy, many of them are quite mutable (and it is not unheard of that attackers might be able to poison trusted software distribution channels).

Failure example: burmilla/os-kernel@6a6748a
(and rancher is still ignoring my pr: rancher-archives/dapper#93 ; I suspect the project is dying..)

So folks, a high level question: is it a desirable goal to build as much as possible from source (with a fixed set of toolchain docker images) without Internet access?

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingquestionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions