🚀 We just launched `$ npx reproduce <pkg>` - ThreadSky

darcyclarke.me • 1 day ago

🚀 We just launched `$ npx reproduce `

Comments

evilpacket.net•1 day ago

Rad tooling. Congrats on the release.

darcyclarke.me•1 day ago

You can read a deeper dive about this & the motivation on the @vlt.sh blog here: https://blog.vlt.sh/blog/reproducibility

darcyclarke.me•1 day ago

🔑 Insights from checking the top 5k npm packages:
- only 3.72% (186) have "provenance" (which launched ~2yrs ago)
- 5.78% (289) are reproducible today & - with additional strategies (ex. yarn/pnpm etc.) - that # will only grow with no additional work by maintainers

bengl.dev•1 day ago

> 5.78% (289) of packages were found to be reproducible

Does it support monorepos? Depending on implementation details, monorepos could be pretty damn tricky.

bradleymeck.bsky.social•1 day ago

I'm hoping we eventually use GHA replays from logs like https://rekor.sigstore.dev/api/v1/log/entries?logIndex=160092522 ; that would give approximately full (sans secrets) instructions for anything OSS enough to build it

lukekarrys.com•1 day ago

so the @vlt.sh monorepo is currently not reproducible for either the CLI or its other workspaces 😅

but im working on it for the CLI right now, so I think it should be supported.

basic idea is the manifest points to the git directory and are you able to run `npm pack|publish` from there

bengl.dev•1 day ago

Nice. Overall this is some great stuff and I know it will make some of our folks happy.

jordan.har.band•1 day ago

that’s checking packages - what are the %s if you count each version of those packages independently?

bradleymeck.bsky.social•1 day ago

Would probably want to limit this somehow (latest major?) otherwise it would be a large task

jordan.har.band•1 day ago

large, but only needs to be done once since published packages are immutable - and will show the true chasm between provenance and reproductions.

bradleymeck.bsky.social•1 day ago

fair

darcyclarke.me•1 day ago

I ran the checks on my own machine (mba) so I apologize I didn't scan the entirety of the registry... yet 😜

What may interest you is just the actual cached set of metadata from that run, so I just threw that into a gist for you:

https://gist.github.com/darcyclarke/11be63ad9b855507d08247405e8b945e

darcyclarke.me•1 day ago

p.s. you can totally do this yourself btw, the `` arg is actually a package spec; ie. you can get super explicit or provide range grammars:

`$ reproduce semver@>=6`
`$ reproduce [email protected]`

jordan.har.band•1 day ago

ooh, ok so basically a github action that takes the package list and uses `@*` would produce the full results, at zero cost?

darcyclarke.me•1 day ago

/cc @jordan.har.band @notwes.bsky.social @naugtur.pl

naugtur.pl•1 day ago

Cool work. May need some sandboxing.

Now if I wanted to target people using this tool, I'd create a dangling commit in my repo and push a valid package from main but point to that commit hash. Then npx reproduce will run my malicious build script that I didn't need to risk publishing to npm.

darcyclarke.me•1 day ago

We'll likely fast-follow this with a GHA to spin up the envs for you & run the test (making it easy to quasi-"sandbox"). You'll want to control your own env if you're truly security conscious & don't trust someone else's CI/config to lock down the env.

darcyclarke.me•1 day ago

If I understand your hypothetical, you're saying any git ref could potentially have malware that was not published into the npm package, which is valid no matter what but reproducible check **shouldn't** pass if building+packing fails to produce the same integrity as exists in the registry.

notwes.bsky.social•1 day ago

Hahaha. You are the best.

notwes.bsky.social•1 day ago

So cool to see this happen!! Great work!

mikolalysenko.bsky.social•1 day ago

this is very cool, the logical next step after installing dependencies

Comments

Posting Rules

Reply