search

chainguard-dev / melange

build APKs from source code
Apache License 2.0
382 stars 83 forks source link

Lockfiles (like `.melange.lock`) #27

Open kpcyrd opened 2 years ago

kpcyrd commented 2 years ago

hi!

It would be cool to have lockfiles like .melange.lock that work similar to Cargo.lock.

With a configuration like this:

environment:
  contents:
    repositories:
      - https://dl-cdn.alpinelinux.org/alpine/edge/main
      - https://dl-cdn.alpinelinux.org/alpine/edge/community
    packages:
      - alpine-baselayout-data
      - busybox
      - make
      - go
      - git
      - ca-certificates-bundle

The lockfile would contain the resolved versions for make, go, git, etc and help achieve reproduce builds even if one of the packages was updated in alpine in the meantime.

The file could be generated with a command like melange update and toml would probably be a good fit since it works well in git diff and has good machine readability.

kaniini commented 2 years ago

I have a different plan for this, where you run a command and it generates a local repo containing the packages used. You could then use this “lock repo” for this purpose. That way there are no ambiguities with the packages.

kaniini commented 2 years ago

Pushing to v0.2 because the prerequisites for lock repos won't land in apko until apko v0.5.