fossa-cli icon indicating copy to clipboard operation
fossa-cli copied to clipboard
verified publisher icon fossas

Developer docs are incomplete. Building relies on access to closed Github repo?

Open jmickelin opened this issue 4 years ago • 2 comments

The README's Contributing section heavily implies that we should be able to build this project on our own machines. However, when trying to do so, cabal complains about the following missing extra-source-files:

  vendor-bins/syft
  vendor-bins/wiggins

Digging further, it seems these two programs are embedded into the binary using Template Haskell: https://github.com/fossas/fossa-cli/blob/master/src/App/Fossa/EmbeddedBinary.hs#L182

There is a script called vendor_download.sh for downloading these dependencies, but reading the documentation in that file reveals that you need access to the closed-source fossas/basis on Github to use it.

Is there a reason that these are not open sourced? Is this project really intended to be built by users, or do we need to rely on the binary release?

None of this is documented in the contributor docs, and in fact seems to contradict what they are saying about encouraging user contributions.

I suppose technically, one could extract the embedded files from the binary release and then build the project from source, but I suspect that is more than a little frowned upon.

jmickelin avatar Mar 04 '22 14:03 jmickelin

A few responses:

you need access to the closed-source fossas/basis

Currently, this is true, but we have an alternate solution for this. We haven't had time to implement it yet, and have de-prioritized it since nobody outside of our organization has noticed (until this ticket). Now that someone is interested, we may be able to justify spending developer time on this, so that we can let users build from source, and maybe even submit fixes.

Is there a reason that these are not open sourced?

Notably, the repo is closed-source, but the binary we retrieve from the repo is intended to be used by end users, though not directly (it's only intended to be used by this project). This is part of our planned fix I mention in the previous paragraph.

None of this is documented in the contributor docs, and in fact seems to contradict what they are saying about encouraging user contributions.

I'll be fixing the docs today to clarify our current position and limitations on building from source. This was probably the biggest mistake here, I'm sorry we weren't clearer about this.

However, building from source is still viable without the binaries. The only limitations are that we will fail when trying to run fossa container * commands, and fossa analyze --experimental-enable-monorepo.

one could extract the embedded files from the binary release

fossa dump-binaries is a testing utility that may help here, it will extract the binaries onto your filesystem from the binary that ran it, but unfortunately we can't support any version built this way. If you have issues with that build, feel free to send them to us here, we'll help if we can, but only up to a point.

skilly-lily avatar Mar 04 '22 18:03 skilly-lily

Thank you so much :heart: I couldn't have wished for a better reply :)

I'll check it out when I'm back at work on Monday.

jmickelin avatar Mar 04 '22 19:03 jmickelin