This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2022-10-05
Channels
- # announcements (14)
- # aws (7)
- # babashka (28)
- # beginners (16)
- # calva (2)
- # cider (1)
- # clj-commons (8)
- # clj-kondo (29)
- # clojure (213)
- # clojure-europe (39)
- # clojure-losangeles (2)
- # clojure-norway (9)
- # clojure-spec (2)
- # clojurescript (11)
- # community-development (1)
- # conjure (2)
- # cursive (6)
- # datalevin (2)
- # datomic (8)
- # emacs (29)
- # events (1)
- # fulcro (22)
- # graalvm (14)
- # improve-getting-started (1)
- # jobs (1)
- # lambdaisland (5)
- # leiningen (4)
- # lsp (7)
- # malli (13)
- # meander (11)
- # membrane (13)
- # off-topic (23)
- # polylith (9)
- # re-frame (4)
- # reagent (7)
- # reitit (6)
- # releases (2)
- # sql (58)
- # testing (8)
- # tools-deps (18)
- # web-security (2)
I just watched "The Secure Software Supply Chain" talk from Strange Loop this year. What's the story on reproducible builds with Clojure? After a quick experiment with some local projects it doesn't look like we're there out of the box, but is there support for this on the horizon?
I talked to Kelsey about it a bit after the talk
I dabble in the NixOS world and my understanding is that reproducability with the JVM is tough.
Do you know if the CLJS folks are looking at it as well? JS has it's own dependency craziness.
no, I don't have an understanding of the equivalent issues there
reproducibility is not really the bit that I'm focused on (re-reading the original question above) - that has never been a strong goal for us from Clojure perspective. what we do want is more traceability and verification
I do think it's important that we should be able to connect signed commits in git -> signed releases, with verification, and better tracking of both provenance and full dep set when you do an application build, and having those tools be as automatic and included as possible
as far as CLJS is concerned the only real hurdle is (RT/nextId) not being controllable. (gensym) uses it, so it pops up all over the place and ens up generating slightly different code each time since its an ever increasing integer
another hurdle is the :advanced compilation done by the Closure Compiler, its not fully deterministic either but would be closer with more "stable" JS generated by the cljs compiler
We have experimented a bit with this, and opened https://ask.clojure.org/index.php/12249/bytecode-not-100-deterministic-given-identical-inputs at some point
By using the patched hashCode and patching a logging library we use, @U06GVE6NR was able to get a sizeable production clojure project to build reproducibly.
So I feel like the way to reproducible builds is probably not super hard
Depending on your setup, you may also need to do (some of) the things in https://reproducible-builds.org/docs/jvm/ Nix takes care of most of that if you're actually building via a derivation, though.
@U04V5VAUN your signing of the jars might not be for naught after all!
I’d like to take credit for being responsible about my verified github commits, but I only set it it all up because @U04VDQDDY’s planck repo required it!