airgap-vault: Cannot reproduce 3.11.1 for Android
Sadly the issue with the minified main.js keeps cropping up and I wonder why and how to avoid it.
Objectionable diff is:
Files /tmp/fromPlay_it.airgap.vault_35477/assets/public/index.html and /tmp/fromBuild_it.airgap.vault_35477/assets/public/index.html differ
Only in /tmp/fromPlay_it.airgap.vault_35477/assets/public: main.6c0c07ffb31b2f9117c8.js
Only in /tmp/fromBuild_it.airgap.vault_35477/assets/public: main.6fac43b747228db945b3.js
In index.html only the main.js file names differ but the two main.*.js files differ in dozens of chunks (after preffifying) and with them being minified, it’s hard to just trust them. Would not minifying be an option? Although that wouldn’t fix reproducibility issues, it would help understand what’s happening and why.
I noticed that dependencies are not well pinned. Not only aren’t they pinned to a cryptographic hash of the dependency, they are not even pinned to a version number. From https://github.com/airgap-it/airgap-vault/blob/abbed9486d42fc10279018ec789566b71cf9cce2/package.json:
"dependencies": {
...
"@angular/common": "^11.2.9",
"@angular/core": "^11.2.9",
"@angular/forms": "^11.2.9",
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 18 (13 by maintainers)
Commits related to this issue
- Optimize Dockerfile layers #103 This commit just removes unnecessary docker layers which results in smaller image and faster builds. — committed to mohammadrafigh/airgap-vault by mohammadrafigh 3 years ago
Thanks for looking into this and thanks @mohammadrafigh for the PR. I will look into it ASAP.
Sent a PR with minor changes in Dockerfile to remove unnecessary layers. As @Giszmo the build is working on server but 3.11.2 is not reproducible due to some diffs in index.html, please check the logs with your API key in Walletscrutiny developers panel.
Thanks for the report. I would love to track down the root cause of this as well.
We will discuss the removal of the minification step, but as you said, this will not resolve the original problem.
The versions in the
package.jsonfile are not locked, but the ones in theyarn.lockfile are. During our build, we use the--frozen-lockfileflag, which should make sure that the exact dependencies are installed. https://classic.yarnpkg.com/en/docs/cli/install#yarn-install---frozen-lockfile-. This has to be done, because locking the versions in thepackage.jsonfile means that only the direct dependencies are locked. All sub-dependencies would still always use the latest versions, so that’s what the lock file is for.