Replies: 1 comment 3 replies
-
What makes you think any of that?
They're already there (and never left). It doesn't have anything to do with reproducibility though. |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Recently, I've been investigating trying to get yarn(and nodejs) projects into nixpkgs more effectively. To get to the point, it would be useful to have the integrity hashes in the yarn lockfiles to do that easily. This was the case in the v1 spec of the lock file and is no longer the case. Now the only hash that is used is one that is generated based on the zip file on a local computer; since zip files are inherently non-deterministic(See #6068 and #6105), this ends up being useless for the purposes of reproducibility.
On https://yarnpkg.com/cli/install, it is mentioned that yarn install is not part of the recommended work flow, and that .pnp.cjs and the cache should be commited. Unfortunately, the combination of these 2 things, plus the fact that a lot of repos are transitioning from to yarn berry seems to mean that the zero-install workflow isn't used super often; this means that repos that previously were fully reproducible with just the yarn.lock file are no longer reproducible.
That confusion seems to be causing other issues as well(see #6105). If you aren't using zero-install and commiting the files, there's no reproducibility using yarn.
Proposed solutions:
The only issue I can think of with option 2 is that you probably can't have both the integrity hash and the checksum in the file because you can't guarantee that they would refer to the same thing. The only way around that as far as I can tell, is to have an option for enabling zero-installs, and storing the checksum or the integrity hash depending on the setting. If the cache and .pnp.cjs files are not in the git tree, then warnings should probably be popping up as well.
Beta Was this translation helpful? Give feedback.
All reactions