Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reproducible builds for plugins (and clients?) #2728

Closed
MaxKsyunz opened this issue Oct 13, 2022 · 5 comments
Closed

Reproducible builds for plugins (and clients?) #2728

MaxKsyunz opened this issue Oct 13, 2022 · 5 comments
Labels
enhancement New Enhancement

Comments

@MaxKsyunz
Copy link
Contributor

MaxKsyunz commented Oct 13, 2022
edited
Loading

Is your feature request related to a problem? Please describe

Plugin builds depend on libraries from OpenSearch core. They also use a lot of the same packages. jackson-databind is a good example.

Whenever core libraries bump the version of any such package, plugin builds start to fail until they bump the version as well.

It's disruptive whenever this happens.

Describe the solution you'd like

Plugin builds to be reproducible.

Describe alternatives you've considered

No response

Additional context

No response
@MaxKsyunz MaxKsyunz added enhancement New Enhancement untriaged Issues that have not yet been triaged labels Oct 13, 2022
@gaiksaya
Copy link
Member

gaiksaya commented Oct 13, 2022
edited
Loading

[Triage] Hi @MaxKsyunz ,

Can you please elaborate more on what do you mean by "reproducible"? Also what is expected to happen more precisely?
cc: @dblock

@gaiksaya gaiksaya removed the untriaged Issues that have not yet been triaged label Oct 13, 2022
@MaxKsyunz
Copy link
Contributor Author

Reproducible builds mean that two builds of the same source will generate the same binary. There's a site with more info. The main goal is greater security but it also improves developer experience as well.

Here's a simplified of example how this affects development.

opensearch-sql plugin uses jackson-core and opensearch-rest-high-level-client which also depends on jackson-core:

graph LR;
  opensearch-sql ---> jackson-core;
  opensearch-sql ---> opensearch-rest-high-level-client;
  opensearch-rest-high-level-client ---> jackson-core;
Loading

Due to CVEs, jackson-core version gets bumped in opensearch-rest-high-level-client. This new version, with same version number, is published on Maven. As soon as that happens opensearch-sql CI actions start to fail because of the version clash of jackson-core`:
image

Now someone needs to update jackson-core version in opensearch-sql 2.x branch and everyone else working on a branch of opensearch-sql needs to do that as well.

As soon as this PR is merged, we'll run into this as well.

@MaxKsyunz
Copy link
Contributor Author

Here's another issue in the same vane.
The error I'm seeing is:

> Could not find com.netflix.nebula:nebula-core:3.0.0.
     Searched in the following locations:
       - file:/home/runner/.m2/repository/com/netflix/nebula/nebula-core/3.0.0/nebula-core-3.0.0.pom
       - https://aws.oss.sonatype.org/content/repositories/snapshots/com/netflix/nebula/nebula-core/3.0.0/nebula-core-3.0.0.pom
       - https://repo.maven.apache.org/maven2/com/netflix/nebula/nebula-core/3.0.0/nebula-core-3.0.0.pom
       - https://plugins.gradle.org/m2/com/netflix/nebula/nebula-core/3.0.0/nebula-core-3.0.0.pom
     Required by:
         project : > org.opensearch.gradle:build-tools:2.4.0-SNAPSHOT:20221105.061[41](https://github.com/Bit-Quill/opensearch-project-sql/actions/runs/3415472960/jobs/5684638758#step:4:42)6-1[46](https://github.com/Bit-Quill/opensearch-project-sql/actions/runs/3415472960/jobs/5684638758#step:4:47) > com.netflix.nebula:nebula-publishing-plugin:4.4.4
         ```

@gaiksaya
Copy link
Member

Hi @MaxKsyunz ,

Is this issue still valid?

@peterzhuamazon
Copy link
Member

Seems like resolved right here now:

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gaiksaya @peterzhuamazon @MaxKsyunz