Might be worth committing build products

paulmillr / noble-secp256k1

Fastest 4KB JS implementation of secp256k1 signatures and ECDH

https://paulmillr.com/noble

MIT License

757 stars 114 forks source link

Might be worth committing build products #51

Closed brandonblack closed 1 year ago

brandonblack commented 2 years ago

Arguments in favor of committing build products:

Puts a PGP signature on the build products that can be matched against published artifacts
Allows depending on github versions directly
Easier direct audit of the code that will actually be provided to the runtime for execution

See https://github.com/bitcoinjs/bitcoinjs-lib for an example of a project that checks in the build products.

paulmillr commented 2 years ago

So we have build/noble-secp256k1.js, which is a standalone version i'm attaching to GH releases; lib/index.js, lib/esm/index.js. What would be the most useful to expose?

brandonblack commented 2 years ago

I believe committing lib/index.js and lib/esm/index.js both would let all npm/yarn users add a git version directly to their package.json and not have to wait for releases.

I've just been checking all three in over here https://github.com/brandonblack/noble-secp256k1/commit/856129c06436fb696bab7d827edad5effdffaee2 on top of your latest to facilitate development.

Over in bitcoinjs-lib land, they have a CI step that ensures that after running the build again on the CI, the build products exactly match those that are checked in.

paulmillr commented 1 year ago

will be in v2.0