Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] pin dependency versions rather than refer to "master" archives #26217

Closed
vlsi opened this issue Aug 31, 2023 · 2 comments
Closed

[FR] pin dependency versions rather than refer to "master" archives #26217

vlsi opened this issue Aug 31, 2023 · 2 comments
Labels
C: Build / Toolchain T: Feature Request Features requested by users.

Comments

@vlsi
Copy link
Contributor

vlsi commented Aug 31, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

Currently the code has 6 references to archive/master.zip in features.ini: https://github.com/MarlinFirmware/Marlin/blob/11f98adcce51f06a85ef0dd64e6e6b16139a34bd/ini/features.ini
It makes the build non-repdoducible as the dependencies might change unexpectedly.

Are you looking for hardware support?

No response

Describe the feature you want

I suggest pinning the versions to their hashes or version tags like TMC26XStepper=https://github.com/MarlinFirmware/TMC26XStepper/archive/a7d7c92a13b07addaddee406afc2ad317c5b1551.zip

Additional context

Sample change:

diff --git a/ini/features.ini b/ini/features.ini
index d613fc5124..0370e89951 100644
--- a/ini/features.ini
+++ b/ini/features.ini
@@ -11,21 +11,21 @@

 [features]
 YHCB2004                               = red-scorp/LiquidCrystal_AIP31068@^1.0.4, red-scorp/SoftSPIB@^1.1.1
-HAS_TFT_LVGL_UI                        = lvgl=https://github.com/makerbase-mks/LVGL-6.1.1-MKS/archive/master.zip
+HAS_TFT_LVGL_UI                        = lvgl=https://github.com/makerbase-mks/LVGL-6.1.1-MKS/archive/a3ebe98bc69e5b855dd1d5b36ba569d190fd2d3b.zip
                                          build_src_filter=+<src/lcd/extui/mks_ui>
                                          extra_scripts=download_mks_assets.py
 MARLIN_TEST_BUILD                      = build_src_filter=+<src/tests>
 POSTMORTEM_DEBUGGING                   = build_src_filter=+<src/HAL/shared/cpu_exception> +<src/HAL/shared/backtrace>
                                          build_flags=-funwind-tables
-MKS_WIFI_MODULE                        = QRCode=https://github.com/makerbase-mks/QRCode/archive/master.zip
+MKS_WIFI_MODULE                        = QRCode=https://github.com/makerbase-mks/QRCode/archive/261c5a696a0093226acc850e266020a444b9132d.zip
 HAS_TRINAMIC_CONFIG                    = TMCStepper@~0.7.3
                                          build_src_filter=+<src/module/stepper/trinamic.cpp> +<src/gcode/feature/trinamic/M122.cpp> +<src/gcode/feature/trinamic/M906.cpp> +<src/gcode/feature/trinamic/M911-M914.cpp> +<src/gcode/feature/trinamic/M919.cpp>
 HAS_T(RINAMIC_CONFIG|MC_SPI)           = build_src_filter=+<src/feature/tmc_util.cpp>
 HAS_STEALTHCHOP                        = build_src_filter=+<src/gcode/feature/trinamic/M569.cpp>
-SR_LCD_3W_NL                           = SailfishLCD=https://github.com/mikeshub/SailfishLCD/archive/master.zip
+SR_LCD_3W_NL                           = SailfishLCD=https://github.com/mikeshub/SailfishLCD/archive/6f53c19a8a7140bd87ca1c2bbed992118e062ec0.zip
 HAS_MOTOR_CURRENT_I2C                  = SlowSoftI2CMaster
                                          build_src_filter=+<src/feature/digipot>
-HAS_TMC26X                             = TMC26XStepper=https://github.com/MarlinFirmware/TMC26XStepper/archive/master.zip
+HAS_TMC26X                             = TMC26XStepper=https://github.com/MarlinFirmware/TMC26XStepper/archive/a7d7c92a13b07addaddee406afc2ad317c5b1551.zip
                                          build_src_filter=+<src/module/stepper/TMC26X.cpp>
 LIB_INTERNAL_MAX31865                  = build_src_filter=+<src/libs/MAX31865.cpp>
 NEOPIXEL_LED                           = adafruit/Adafruit NeoPixel@~1.8.0
@@ -43,7 +43,7 @@ HAS_(FSMC|SPI|LTDC)_TFT                = build_src_filter=+<src/HAL/STM32/tft> +
 HAS_FSMC_TFT                           = build_src_filter=+<src/HAL/STM32/tft/tft_fsmc.cpp> +<src/HAL/STM32F1/tft/tft_fsmc.cpp>
 HAS_SPI_TFT                            = build_src_filter=+<src/HAL/STM32/tft/tft_spi.cpp> +<src/HAL/STM32F1/tft/tft_spi.cpp>
 I2C_EEPROM                             = build_src_filter=+<src/HAL/shared/eeprom_if_i2c.cpp>
-SOFT_I2C_EEPROM                        = SlowSoftI2CMaster, SlowSoftWire=https://github.com/felias-fogg/SlowSoftWire/archive/master.zip
+SOFT_I2C_EEPROM                        = SlowSoftI2CMaster, SlowSoftWire=https://github.com/felias-fogg/SlowSoftWire/archive/f34d777f3905767f60dea11ef0d124b79512dcf0.zip
 SPI_EEPROM                             = build_src_filter=+<src/HAL/shared/eeprom_if_spi.cpp>
 HAS_DWIN_E3V2|IS_DWIN_MARLINUI         = build_src_filter=+<src/lcd/e3v2/common>
 DWIN_CREALITY_LCD                      = build_src_filter=+<src/lcd/e3v2/creality>
@@ -240,7 +240,7 @@ HAS_SERVOS                             = build_src_filter=+<src/module/servo.cpp
 MORGAN_SCARA                           = build_src_filter=+<src/gcode/scara>
 HAS_MICROSTEPS                         = build_src_filter=+<src/gcode/control/M350_M351.cpp>
 (ESP3D_)?WIFISUPPORT                   = AsyncTCP, ESP Async WebServer
-                                         ESP3DLib=https://github.com/luc-github/ESP3DLib/archive/master.zip
+                                         ESP3DLib=https://github.com/luc-github/ESP3DLib/archive/dc0f3d96c68dd805c60799fbe8a4c07c45def9ee.zip
                                          arduinoWebSockets=links2004/[email protected]
                                          luc-github/[email protected]
                                          lib_ignore=ESPAsyncTCP
@vlsi vlsi added the T: Feature Request Features requested by users. label Aug 31, 2023
vlsi added a commit to vlsi/reborn2-marlin that referenced this issue Sep 11, 2023
@vlsi
Use stable references to dependency versions rather than "master" branch
d03250d 
It helps with:
* Build stability. If the build pulls "the latest main branch", then the build might fail even though nothing has changed in Marlin
* Security. If build is always pulling "the latest main branch", then compromising a dependency would affect everybody building Marlin

Fixes MarlinFirmware#26217
@vlsi vlsi mentioned this issue Sep 11, 2023
Merged
@thisiskeithb
Copy link
Member

Closing since you've opened a PR:

@github-actions GitHub Actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked and limited conversation to collaborators Nov 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
C: Build / Toolchain T: Feature Request Features requested by users.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlsi @thisiskeithb