search

canonical / craft-parts

https://canonical-craft-parts.readthedocs-hosted.com
GNU Lesser General Public License v3.0
11 stars 37 forks source link

NodeJS checksum not being verified after downloading via the npm plugin #717

Closed alnvdl-work closed 5 months ago

alnvdl-work commented 6 months ago

Bug Description

Problem 1 (solved; see below) The npm plugin installs NodeJS during the build step: https://github.com/canonical/craft-parts/blob/2b16c15d81e9ed6ffef6a3d1074b6482953cd38c/craft_parts/plugins/npm_plugin.py#L179-L197

When building a ROCK, if we use override-build to customize the invocation of npm install as needed by our application, we don't get NodeJS installed. So we have to either download and install NodeJS ourselves, or resort to hacks like building the application during the stage step.

For building this ROCK, we found a nice workaround using overlay-script, which is good enough for us for now to install NodeJS independently:

The overlay step provides the means to modify the base filesystem before the build step is applied See: https://canonical-rockcraft.readthedocs-hosted.com/en/latest/explanation/overlay-step/

Problem 2 Somewhat related to this: the download of NodeJS should also ideally have its checksum verified to mitigate the impacts of any supply-chain-attacks and eliminate the problem of corrupted downloads, maybe doing something similar to what Docker does: https://github.com/nodejs/docker-node/blob/1fc16c3d1ea2be71fba69115f59d0e8f99876692/18/buster/Dockerfile

To Reproduce

Try to try to build any application whose npm install process needs to be customized to be different from the default dictated by the part.

part yaml

No response

Relevant log output

-
syncronize-issues-to-jira[bot] commented 6 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/CRAFT-2852.

This message was autogenerated

tigarmo commented 6 months ago

if we use override-build to customize the invocation of npm install as needed by our application

Can you talk about this customization in your specific case? One way to bypass this issue altogether would be to improve the plugin so that it does what you need it to do without having to override steps.

alnvdl-work commented 6 months ago

Talked with @tigarmo in PMs. I did not know about craftctl default (https://snapcraft.io/docs/using-craftctl). That solved the problem for me, quite elegantly.

However, I believe the second part of this issue (downloading NodeJS without running a checksum) still persists. So I renamed it, and I will leave this open.

cmatsuoka commented 5 months ago

Fixed by PR #719