Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] CRA Standardisation request
Yes, I agree that upstream can’t know about the ultimate version of its deps until integration - but it DOES know about the version of the deps it needs (no matter how fuzzy)…

On Tue, 18 Feb 2025 at 21:01, Scott Lewis via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
On 2/18/2025 11:08 AM, Daniel Thompson-Yvetot via
open-regulatory-compliance wrote:
> @Tobie - if you think the lack of idempotency for libraries is
> troubling, wait til you hear about the new techniques around module
> federation. ;)

For awareness:  The 'lack of idempotency for libraries' problem is not
limited to the _javascript_/npm example.  The problem also exists...and is
arguably significantly harder...in the install technology used by
Eclipse-based projects and products (called 'equinox p2').

>
> But seriously I think the text is a copout from the JS sec team. I
> agree with Dick, some knowledge is better than none, e.g. in practice,
> I don’t care what version of jquery is used, if it is in your
> package.json / lockfile / reposource I will deep dive.
>
> I feel that their analysis is missing the fact that a library’s entire
> dependency tree can be inferred from the package.JSON - and that
> information IS valuable.

Admittedly it's valuable...but it's also *static*.  Just the fact that
in osgi/p2 acceptable version *ranges* constraints are given for
dependencies means that the target environment (i.e. what else is
present at install time as well as what repos are know/available) will
determine the dependency resolution....i.e. what version of a dependency
is resolved dynamically at install time.

>
> The guarantee of a library is that it will never have dependencies
> other than direct, indirect, or transitive. Maybe the lesson here is
> that a library should “presolve” for a known range of upstream library
> versions that are expected to be viable.

That would also end up being static (across time/new versions of
dependencies)...and so would require regular library-level (or lower)
maintenance.

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top