Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Where did they say they’re not building? Building your app does not mean you install the modules every time. Some apps are so large they have to be split into chunks / layers anyway. In golang this used to be the way you’d add deps, check the entire source into your version control.


Building the same project even without re-installing node modules has absolutely no guarantee of reproducibility.


Oh please explain what’s different. The entire code chunk is the same. How is that not reproducible?


The code being the same != reproducible. Build tools can incorporate e.g. build timestamps into the built artifacts, or randomize the output for e.g. pattern scanning/patch deterrence.

The input is irrelevant. I think you should have a look at what reproducible builds really are before evangelizing them.


So you’re incrementing a timestamp, but the code doesn’t change and it’s super important you change the timestamp and this is a reproducible build?

A reproducible build means anybody on any machine can build the same thing someone else has on theirs. That’s it.


> A reproducible build means anybody on any machine can build the same thing someone else has on theirs. That’s it.

No. A reproducible build is a guarantee that two builders of the same codebase, or the same codebase built multiple times, will result in a bit-for-bit identical of all other builds of the same codebase, every time, guaranteed.

*There are no Node.js-related build systems in mainstream use I am aware of that have any such guarantees. No, docker does not make any such guarantees. No, just because you pinned dependencies does not make that guarantee. No, just because you archived the codebase and vendored your dependencies does not make that guarantee.*

Please educate yourself before dying on a hill for a topic you're misrepresenting entirely.


> No. A reproducible build is a guarantee that two builders of the same codebase, or the same codebase built multiple times, will result in a bit-for-bit identical of all other builds of the same codebase, every time, guaranteed.

That's what I said :)

> Please educate yourself before dying on a hill for a topic you're misrepresenting entirely.

I'll say the same. I've only been doing this for near 30 years ;)

But here you go, here's one example:

1) copy source to destination directory 2) run private npm 3) use private npm repo 4) freeze private npm repo 5) use npm install like normal

here's another:

1) check all node_modules directories into version control 2) ensure no native packages are used 3) copy entire directory structure to destination dir

You are clearly inexperienced, or very focused on node.js only.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: