chore: Don't use clearly defined for license info #101
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I recently struggled with merging a change because the checksums seemed to keep changing. One potential explanation is that the LICENSE file generation is not reproducible; when I test locally only 2/10 runs produce identical license files for all apps. After this change 10/10 runs produce identical license files for all apps. The problems may coincide with warnings about 429 and 502 responses from clearly defined, but I have not confirmed if there is actually a correlation. There are a couple of issues in `cargo-about` vaguely related to the problems I see, but they neither directly address the concern of reproducibility nor seem to be worked by anyone else at the moment: - 218 - 246 I compared the generated license for the `hello_world` app and the differences do not seem catastrophic: - Some licences have been reordered. These all seem to have had an instantiation of the license template replaced with the template itself. - Notices about `aho-corasick` and `memchr` being dual licensed have been removed; The MIT license of both remain. - A comment about `winapi` being dual licensed have been removed. `Makefile`: - Set `--fail` for good measure; It didn't cause any failures for me either with or without `no-clearly-defined` meaning I could not observe any improvements. But in theory it should be easier to detect that it was unnecessarily set than the other way around. `about.toml`: - Set `no-clearly-defined` because this stops `cargo-about` from consulting clearly defined, which seems to make the builds reproducible. Other potential benefits from this include lower risk of supply chain attacks and faster builds.
apljungquist
force-pushed
the
no-clearly-defined
branch
from
729594b to
8f74b17
Compare
apljungquist
added a commit
that referenced
this pull request
Nov 5, 2024
* upstream/main: (48 commits) chore: Use workspace dependencies consistently (#126) fix(axevent_example): Return `Break` from signal handlers (#125) chore(deps): bump ghcr.io/devcontainers/features/common-utils (#124) feat(device-manager): Allow unsigned ACAPs (#122) feat(acap-build): Enable bypassing `acap-build` (#119) chore: streamline CI (#118) fix: Don't invalidate Cargo caches (#117) fix(acap-ssh-utils): Warn users that commands may break (#114) feat: Factor out `acap-build` wrapper to lib crate (#112) feat: Add `fleet-manager` program (#111) feat: Add edge storage wrapper and example (#108) fix: Measure apparent size (#107) chore(acap-logging): Bump version (#106) fix(cargo-acap-sdk): Set executable bits (#105) fix(acap-logging)!: Disable default features for env_logger (#103) chore: Track size of apps (#102) chore: Don't use clearly defined for license info (#101) Update rust toolchain to 1.80.1 (#100) fix!: Make builds reproducible in dev-container (#99) feat(axevent)!: Use generic callbacks and remove leak (#59) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I recently struggled with merging a change because the checksums seemed to keep changing. One potential explanation is that the LICENSE file generation is not reproducible; when I test locally only 2/10 runs produce identical license files for all apps. After this change 10/10 runs produce identical license files for all apps.
The problems may coincide with warnings about 429 and 502 responses from clearly defined, but I have not confirmed if there is actually a correlation.
I compared the generated license for the
hello_worldapp and the differences do not seem catastrophic:aho-corasickandmemchrbeing dual licensed have been removed; The MIT license of both remain.winapibeing dual licensed have been removed.Makefile:--failfor good measure; It didn't cause any failures for me either with or withoutno-clearly-definedmeaning I could not observe any improvements. But in theory it should be easier to detect that it was unnecessarily set than the other way around.about.toml:no-clearly-definedbecause this stopscargo-aboutfrom consulting clearly defined, which seems to make the builds reproducible. Other potential benefits from this include lower risk of supply chain attacks and faster builds.