hundreds-father-404
08/18/2022, 8:40 PMindexes
and find_links
in lockfile header, we will possibly be writing secrets to the file. We have a whole section in docs "Authenticating to custom repos" that says how to use env var interpolation to keep your secrets safe; but lockfile_metadata.py
will only see the final valuefind_links
witty-crayon-22786
08/18/2022, 8:45 PMhundreds-father-404
08/18/2022, 8:46 PMbitter-ability-32190
08/18/2022, 8:46 PMwitty-crayon-22786
08/18/2022, 8:47 PMOut of curisoity, why does the header have to be plaintext JSON?
Can we hash the JSON and store that?at least some of the fields do need to be readable. so it would be partial.
bitter-ability-32190
08/18/2022, 8:48 PMhundreds-father-404
08/18/2022, 8:48 PMCan we hash the JSON and store that?This is actually how I was doing constraints files originally. But a user suggested we change to plaintext because it's much more convenient for git diffs and merge conflicts https://github.com/pantsbuild/pants/pull/16469
bitter-ability-32190
08/18/2022, 8:48 PMversion
?witty-crayon-22786
08/18/2022, 8:48 PMhundreds-father-404
08/18/2022, 8:49 PMindexes
and find_links
for now, given not tracking it is lower risk, exceeding my timebox, and simplifies local requirements supportwitty-crayon-22786
08/18/2022, 8:52 PMattempting to have “the same artifact with different content in two repos/indexes” is A Very Bad Ideaone unfortunate exception to this is local source/git requirements… i’m very not familiar with how John went about supporting that, but frequently folks will try to live-edit sources and then have them consumed without bumping the version
hundreds-father-404
08/18/2022, 9:06 PMfind_links
? That isn't very hard to do.
Alternatives:
• no tracking at all
• some sanitization scheme, which probably means some new mechanism for interpolation. complicated and duplicative of current interpolation supportThat isn't very hard to do.eh, but I guess it still complicates my
--path-mappings
work. So I'll continue with removing this. (It's not an API change, we haven't released this yet.)bitter-ability-32190
08/19/2022, 12:52 PMfor lockfile updating vs from-scratch creation: we need to read the previous requirements to delta
I'm thinking that ought to be the responsibility of the underlying tool, but I'm very likely to be wrong 😅