-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vendor Cargo dependencies #267
base: msft-main
Are you sure you want to change the base?
Conversation
cf07fbc
to
cc7ce2f
Compare
cc7ce2f
to
8e2cea3
Compare
Target rust folders: src/tardev-snapshotter, src/agent, src/utarfs, src/overlay The change involves vendoring Cargo dependencies to enhance build reproducibility and security. All dependencies are downloaded and stored locally in a vendor directory, eliminating the need to fetch them from external sources during builds. The projeci's Cargo configuration is updated to prioritize these vendored sources, ensuring consistent, self-contained builds regardless of external factors like network availability or changes in dependency repositories. By committing the vendor directory to version control, the project gains improved security, faster build times, and determinism. Developers must refresh the vendored dependencies whenever updates are made to the Cargo.toml, by re-running cargo vendor. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
8e2cea3
to
7fa67f9
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed this by checking it out locally and LGTM.
But let's hold off on merging for now as @danmihai1 suggested an alternative approach that we might want to evaluate: don't vendor everything from the get go, but instead, for each package that needs to be patched, incrementally add it to the vendors.
Target rust folders: src/tardev-snapshotter, src/agent, src/utarfs, src/overlay
The change involves vendoring Cargo dependencies to enhance build reproducibility and security. All dependencies are downloaded and stored locally in a vendor directory, eliminating the need to fetch them from external sources during builds. The projeci's Cargo configuration is updated to prioritize these vendored sources, ensuring consistent, self-contained builds regardless of external factors like network availability or changes in dependency repositories. By committing the vendor directory to version control, the project gains improved security, faster build times, and determinism. Developers must refresh the vendored dependencies whenever updates are made to the Cargo.toml, by re-running cargo vendor.
Merge Checklist
upstream/missing
label (orupstream/not-needed
) has been set on the PR.Summary
Test Methodology
Spec file changes (draft): microsoft/azurelinux@mahuber/kata-3.2.0.azl4...archana1/remove-rust-deps
Buddy Build of kata-containers and kata-containers-cc: https://dev.azure.com/mariner-org/mariner/_build?definitionId=2190&_a=summary (https://dev.azure.com/mariner-org/mariner/_build/results?buildId=693264&view=results)