Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mark BOM entry as Launch #111

Merged
merged 2 commits into from
Sep 24, 2021
Merged

Mark BOM entry as Launch #111

merged 2 commits into from
Sep 24, 2021

Conversation

dmikusa
Copy link
Contributor

@dmikusa dmikusa commented Sep 24, 2021

While Rust is not a launch dependency, it's version is important to know because it statically compiles binaries. Thus we are going to include its dependency into the launch BOM. This also works around an issue with buildpacks where the build BOM is not really visible. It's not included in pack inspect and the BOM label on the image.

Resolves #26

Mark BOM entry as Launch
f006eaa 
While Rust is not a launch dependency, it's version is important to know because it statically compiles binaries. Thus we are going to include its dependency into the launch BOM. This also works around an issue with buildpacks where the build BOM is not really visible. It's not included in `pack inspect` and the BOM label on the image.

Signed-off-by: Daniel Mikusa <dmikusa@vmware.com>
@dmikusa dmikusa added semver:patch A change requiring a patch version bump type:bug A general bug labels Sep 24, 2021
@dmikusa dmikusa requested a review from a team as a code owner September 24, 2021 13:23
ForestEckhardt
ForestEckhardt previously approved these changes Sep 24, 2021
View reviewed changes
@ForestEckhardt ForestEckhardt dismissed their stale review September 24, 2021 14:28

Had a quick think

@ForestEckhardt
Copy link
Contributor

I think that there is something in the works for pack to allow a user to obtain the Build BOM. I think that would make more sense than having this kinda lie about when it is present in the container. I am willing to hear out more on this and maybe this is a good temporary measure but I would like to just tap the breaks really quickly on this!

@dmikusa
Copy link
Contributor Author

dmikusa commented Sep 24, 2021

@ForestEckhardt - Yes, I think you're referring to buildpacks/libcnb#77.

I do see this as a workaround, but I think you could also make a case that it should be included in the Launch layer. Rust is like Go in that it statically compiles things into the produced binaries. That means you need to know what tools did the compiling to know if your binaries are impacted by a CVE or bug. It's a little more pronounced in Go because Go compiles in a standard library, but the issue is the same with Rust or any other language tool set that makes use of static compilation.

I did look at the paketo-buildpacks/go-dist buildpack and it is, as far as I can tell, setting build and launch on its Go BOM entry.

@ForestEckhardt
Copy link
Contributor

I did look at the paketo-buildpacks/go-dist buildpack and it is, as far as I can tell, setting build and launch on its Go BOM entry.

That is only true for the unit test during actual operation in a standard buildpack configuration the Go dependency only goes into the Build BOM.

As for the exposure of the Build BOM I am referencing this issue here buildpacks/pack#1221

@dmikusa
Copy link
Contributor Author

dmikusa commented Sep 24, 2021

Lol, that is the issue I meant to link to but copy and paste is hard. Sorry.

That is only true for the unit test during actual operation in a standard buildpack configuration the Go dependency only goes into the Build BOM.

OK, that's good to know. I guess then we should label this as a temporary workaround. I can adjust the comment to indicate it should be removed when the pack issue is resolved.

@ForestEckhardt
Copy link
Contributor

That totally works for me!

Updated comment
e071358 
Signed-off-by: Daniel Mikusa <dmikusa@vmware.com>
@dmikusa
Copy link
Contributor Author

dmikusa commented Sep 24, 2021

Comment updated.

@ForestEckhardt ForestEckhardt merged commit 3023a20 into main Sep 24, 2021
@ForestEckhardt ForestEckhardt deleted the bom-fix branch September 24, 2021 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ForestEckhardt ForestEckhardt ForestEckhardt approved these changes

Assignees
No one assigned
Labels
semver:patch A change requiring a patch version bump type:bug A general bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add BOM Support
2 participants
@dmikusa @ForestEckhardt