grafana: 7.3.3 -> 7.3.4 #104794
Merged
grafana: 7.3.3 -> 7.3.4 #104794
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WilliButz
added
the
9.needs: port to stable
ofborg
bot
requested review from
fpletz,
Frostman,
globin,
offlinehacker,
kalbasit and
Ma27
Ma27
approved these changes
Nov 25, 2020
|
@WilliButz do you have an idea why ofborg is failing like this (https://logs.nix.ci/?key=nixos/nixpkgs.104794&attempt_id=07f48470-5654-4b14-8c2f-2757606a823a): When I run |
|
@Ma27 I have no idea. I am also unable to reproduce the mismatch on two other hosts 🤔 @GrahamcOfBorg test grafana |
|
I just managed to get the same hash as ofborg on a hetzner server in helsinki: On five other hosts I tested, it's the same hash we both get: |
|
Even though a colleague just confirmed the other hash on their server in Finland as well, to me the issue does not seem to be CDN-related - or at least not DNS-related, because all hosts I tested resolve the FQDN to the same IPs. |
|
@GrahamcOfBorg build grafana cc @grahamc @cole-h would you mind taking a look? (tl;dr we have a hash mismatch, see comment #104794 (comment)) (maybe a rebuild helps :p) |
|
I diffed the tarball contents 🙃 Binary files grafana-7.3.4-ger/bin/grafana-cli and grafana-7.3.4-fin/bin/grafana-cli differ
diff -u '--color=always' -u --color -r grafana-7.3.4-ger/bin/grafana-cli.md5 grafana-7.3.4-fin/bin/grafana-cli.md5
--- grafana-7.3.4-ger/bin/grafana-cli.md5 2020-11-24 13:26:53.000000000 +0100
+++ grafana-7.3.4-fin/bin/grafana-cli.md5 2020-11-24 15:31:01.000000000 +0100
@@ -1 +1 @@
-0e8949cbb19ae99265846e4d1fc1b0cc
+07da47b961b5d07ff4bdf012c600dde9
Binary files grafana-7.3.4-ger/bin/grafana-server and grafana-7.3.4-fin/bin/grafana-server differ
diff -u '--color=always' -u --color -r grafana-7.3.4-ger/bin/grafana-server.md5 grafana-7.3.4-fin/bin/grafana-server.md5
--- grafana-7.3.4-ger/bin/grafana-server.md5 2020-11-24 13:26:53.000000000 +0100
+++ grafana-7.3.4-fin/bin/grafana-server.md5 2020-11-24 15:31:01.000000000 +0100
@@ -1 +1 @@
-ae712e79b5544ec3de6103f0feb63c64
+038659c3a97473575e79fdadde9ee15e
diff -u '--color=always' -u --color -r grafana-7.3.4-ger/plugins-bundled/gel-0.6.0/MANIFEST.txt grafana-7.3.4-fin/plugins-bundled/gel-0.6.0/MANIFEST.txt
--- grafana-7.3.4-ger/plugins-bundled/gel-0.6.0/MANIFEST.txt 2020-11-24 13:26:54.000000000 +0100
+++ grafana-7.3.4-fin/plugins-bundled/gel-0.6.0/MANIFEST.txt 2020-11-24 15:31:01.000000000 +0100
@@ -9,7 +9,7 @@
"signedByOrgName": "Grafana Labs",
"plugin": "gel",
"version": "0.6.0",
- "time": 1606220813528,
+ "time": 1606228261061,
"keyId": "7e4d0c6a708866e7",
"files": {
"README.md": "84ddf7143f83dec00d70cb19f64df9dd34ddbadedf05b8c243ef0f512ca46de5",
@@ -23,9 +23,9 @@
Version: OpenPGP.js v4.10.1
Comment: https://openpgpjs.org
-wqAEARMKAAYFAl+8/A0ACgkQfk0ManCIZucJ2gIGLCdaXsXDCHTBTyBxHZ4i
-amUpd9A06WNlJIfuZGECr76Bh4SEJDK4mHOc6zNtbBj+Qx45i/1F42RbkjAY
-Wh/hW6ECCOJVvc1nX6l07Vrt5Az5TjvXIvKB1ePi2uNvW4yVhpMFrNkKvf3u
-CO8eJGoWEwJ9ZIrZBfnCn+xr6n7ymGX1yOhf
-=C1Vw
+wqEEARMKAAYFAl+9GSUACgkQfk0ManCIZueJPQIJASLx+jt8IbjSCCQn6Cdl
+NBvK+pCPgl72H+HDjcIAypENm7MNB4cLB9MCzO5zXbP7jTTlOiB9Mahgsnag
+d2LcehB1AgiVXYWTFW1GXGemCcKa6IcPK9Nj7po4QWMsmEhRYPzgii6LDkFK
+xI8OxwGF7ue8zVLfIg431XF9sL5ckiNz0LJPKg==
+=fS0K
-----END PGP SIGNATURE-----
diff -u '--color=always' -u --color -r grafana-7.3.4-ger/plugins-bundled/internal/input-datasource/MANIFEST.txt grafana-7.3.4-fin/plugins-bundled/internal/input-datasource/MANIFEST.txt
--- grafana-7.3.4-ger/plugins-bundled/internal/input-datasource/MANIFEST.txt 2020-11-24 13:26:54.000000000 +0100
+++ grafana-7.3.4-fin/plugins-bundled/internal/input-datasource/MANIFEST.txt 2020-11-24 15:31:01.000000000 +0100
@@ -9,7 +9,7 @@
"signedByOrgName": "Grafana Labs",
"plugin": "input",
"version": "1.0.0",
- "time": 1606220358744,
+ "time": 1606227787023,
"keyId": "7e4d0c6a708866e7",
"files": {
"LICENSE": "cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30",
@@ -25,9 +25,9 @@
Version: OpenPGP.js v4.10.1
Comment: https://openpgpjs.org
-wqAEARMKAAYFAl+8+kYACgkQfk0ManCIZufZCQIHZD2ma6mUfEm8tEZnyu/H
-lc1p+2mhO8TtXQVTr0RO+usccNBjagE10D/Ju0lVc1cp4lCbejilHUYXygsH
-GqJwdcsCB3haRkb8W4azHdCdv/qjysmwDhyJMxGAgJpxZARBeTZSMsaUaG6X
-8pYYhNHee66QRXYUO++HCiGaLYKHNAihLszK
-=QfaJ
+wqAEARMKAAYFAl+9F0sACgkQfk0ManCIZueqfQIIi+EC0/NUx4pMu2qQu9O0
+u0dm42DBDHrIfl8uUZXS3o4g/MHCOTj25yb87Duqkpl2KD3tG04Kul75HKoE
+GGrT2fECCNgM2Ketw9H/BSeoNvri7utlOX9n2u1Y+HNG3EQH9N0wpi6HCpJA
+5QEcrVMcMGVVgm7ogaK2BorwySi1n39xaYdz
+=kvlm
-----END PGP SIGNATURE-----
diff -u '--color=always' -u --color -r grafana-7.3.4-ger/scripts/lib.star grafana-7.3.4-fin/scripts/lib.star
--- grafana-7.3.4-ger/scripts/lib.star 2020-11-24 13:26:53.000000000 +0100
+++ grafana-7.3.4-fin/scripts/lib.star 2020-11-24 15:31:01.000000000 +0100
@@ -301,6 +301,7 @@
'image': publish_image,
'depends_on': [
'build-storybook',
+ 'end-to-end-tests',
],
'environment': {
'GCP_KEY': {
diff -u '--color=always' -u --color -r grafana-7.3.4-ger/scripts/release.star grafana-7.3.4-fin/scripts/release.star
--- grafana-7.3.4-ger/scripts/release.star 2020-11-24 13:26:53.000000000 +0100
+++ grafana-7.3.4-fin/scripts/release.star 2020-11-24 15:31:01.000000000 +0100
@@ -45,7 +45,8 @@
'name': 'release-npm-packages',
'image': build_image,
'depends_on': [
- 'end-to-end-tests',
+ # Has to run after publish-storybook since this step cleans the files publish-storybook depends on
+ 'publish-storybook',
],
'environment': {
'NPM_TOKEN': {
@@ -78,8 +79,8 @@
if publish:
steps.extend([
upload_packages_step(edition=edition, ver_mode=ver_mode),
- release_npm_packages_step(edition=edition, ver_mode=ver_mode),
publish_storybook_step(edition=edition, ver_mode=ver_mode),
+ release_npm_packages_step(edition=edition, ver_mode=ver_mode),
])
windows_steps = get_windows_steps(edition=edition, ver_mode=ver_mode)
|
|
FWIW, I also get the That's pretty annoying, but I'm not sure what can be done... |
|
@WilliButz already contacted Grafana's support. Might be an issue with slightly different tarballs delivered on different CDN locations. |
|
A bit over an hour ago I received good news from the Grafana support:
So hopefully ofborg should be fine now :) @GrahamcOfBorg test grafana |
|
Oh, okay the other hash is the one of the more recent version %) |
WilliButz
force-pushed
the
update/grafana/v7.3.4
branch
from
2e5bc36
to
4e4d498
Compare
|
Hopefully the last time: @GrahamcOfBorg test grafana |
Ma27
approved these changes
Nov 25, 2020
|
Ported to 20.09 as debc958! |
Ma27
removed
the
9.needs: port to stable
Ma27
added
the
8.has: port to stable
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Jan 23, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 282c93a7ad12a5d7df590b18c56253d4289ffd3a)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Jan 23, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Jan 23, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Feb 1, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Feb 9, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Feb 23, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Mar 4, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Mar 17, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Mar 23, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Apr 6, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Apr 14, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Ma27
added a commit
to Ma27/nixpkgs
that referenced
this pull request
Apr 20, 2024
Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt from upstream. I recall at least three cases[1][2][3] where we got a hash mismatch eventually. Rather than spending time finding out whether or not it's a supply-chain attack or just a build issue, I decided to implement a source-build now with the following benefits: * It's now actually possible to apply patches for Grafana's frontend. * We rely a little less on third-party build systems. Of course, patching potential vulnerabilities in transitive frontend dependencies is still hard (let alone discovering that this package is affected!), but that's a fundamental issue we have in nixpkgs and I won't invent a half-baked solution just for this package, I still consider this a step into the right direction. The build itself mainly orients on the `yarn` commands used in the upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in `hedgedoc`, writing a custom FoD that downloads all dependencies and writes the offline cache into `$out`[5]. Additionally there are two more notable differences to upstream: * We patch out every dependency to `@grafana/e2e` and `cypress`. The first is a dependency on the latter in another version and the latter downloads random blobs from the Internet in postInstall. Since it's a testing framework (and the `e2e` package apparently a testing library), I decided it's not worth the effort and patched it out everywhere. * There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was installed from `srcStatic`. This only seems to be used on Windows[6] and that's not supported by this package, so I decided to drop it. [1] NixOS#251479 [2] NixOS#130201 [3] NixOS#104794 [4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile [5] NixOS#245170 [6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014 (cherry picked from commit 608db26)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
https://github.com/grafana/grafana/releases/tag/v7.3.4
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)