Hi Alexander, first of all thanks for the efforts. Some comments to add to the mix:
2017-03-10 16:10 GMT+01:00 Alexander Kanavin <alexander.kana...@linux.intel.com>: > The lockdown files would list the versions of the dependencies (if it is > possible, which is not always true), so you can inspect those to see if > something is vulnerable. In node.js or Go worlds the libraries are not > reused between apps anyway, so it really doesn't matter if they're packaged > as separate recipes or not (I didn't have time to check Rust, but as it's > also using lockdown files, I believe the libraries are not reused either). I don't know if you've heard of the lately popular idea of "microservices" - but basically it comes down to having multiple specialized node applications installed. In practice those applications often share the dependencies, so it would totally make sense to use the packages approach so that the dependencies don't need to be installed in multiple copies. Perhaps maybe not with recipe per npm package, but maybe with some more advanced bitbake magic or a post-rootfs hook to run deduplication. What works most of the time is using shrinkwrap to freeze the dependencies to some local npm mirror, so the concept of lockdown would make sense. Just a word of warning that it sometimes doesn't work that well - some of the npm packages (in the dependencies chain) may have hard-coded URI's to e.g. gitlab and shrinkwrap will keep those references instead of npm mirror. Also npm itself doesn't really check for consistency it only checks for versions, what can happen is that the contents may change but the version string may not. In terms of node yarn [1] seems to address some of the npm shortcomings but I'm not aware of any progress in regards of yocto integration. [1] https://yarnpkg.com/ Best regards, Piotr. -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto