Add descriptive header comments to generated Dockerfiles #665
Conversation
|
Overall: I like the self-describing nature of this embedded Dockerfile content and I like the way it's done here. I suppose I'd first like to understand the context for the change, if any. Do you have a particular circumstance that makes this necessary? Regardless, thanks for this work! |
Thanks for your note. I got a demo of oss-rebuild and I've been thinking about how we might be able to use the project in production environments in a place like Microsoft. I thought about cases where we might be building several versions of a package from source. This could be because teams consuming those packages have pinned to particular versions, etc. There might be a case where I'm checking these Dockerfiles into a repository and anything that could help them be more self-describing would be helpful, especially because it's hard to read the Dockerfile and intuit how a particular commit hash relates to a specific version of a package. This change was to make it more explicit and hopefully more useful in production environments. Does that help explain the use case? |
|
Agreed, thanks for the contribution! I'm also in favor of self-documenting artifacts. |
pkg/rebuild/rebuild/rebuildremote.go
Outdated
| textwrap.Dedent(` | ||
| #syntax=docker/dockerfile:1.10 | ||
| # OSS-Rebuild Dockerfile | ||
| # Package: {{.Target.Package}} ({{.Target.Ecosystem}}) |
There was a problem hiding this comment.
Can the ecosystem be on its own line? Then this description would more clearly match the rebuild.Target type which is the common descriptor across the codebase.
pkg/rebuild/rebuild/rebuildremote.go
Outdated
| {{- if .Target.Artifact}} | ||
| # Artifact: {{.Target.Artifact}} | ||
| {{- end}} | ||
| # This Dockerfile rebuilds the above package from source for supply chain verification |
There was a problem hiding this comment.
Is this description important to include in each dockerfile?
Attempting to capture the project mission sufficiently in the dockerfile comments seems challenging. For example, some people might not be using rebuilds for supply chain verification. Also, just because we generate the dockerfile doesn't mean it works. It's possible the dockerfile will eventually fail to build, so claiming "this file rebuilds ..." might not be accurate.
Instead, WDYT of adding to the OSS-Rebuild line something like this:
"OSS-Rebuild generated build instructions"
And removing the "This Dockerfile line"
There was a problem hiding this comment.
Of course, I was putting my intent for how I'd use OSS-rebuild, but that's not everyone's intent. I like the suggestion and removed the "This Dockerfile" line and updated the top comment line as suggested.
- Add Target field to rebuildContainerArgs struct - Update both debuildContainerTpl and alpineContainerTpl templates to include: * Package name and ecosystem * Version number * Artifact filename (if present) * Purpose description - Update MakeDockerfile function to pass Target information to templates - Update test cases with proper Target information and expected headers The generated Dockerfiles now include clear documentation about what package is being rebuilt, making them more self-documenting and easier to understand for supply chain verification purposes.
ryanwaite
force-pushed
the
add-dockerfile-header-comments
branch
from
3ce8e99 to
4915955
Compare
…rification these are generated build instructions.
|
This looks good to me, but I'd be interested to hear if @msuozzo has any thoughts. |
pkg/rebuild/rebuild/rebuildremote.go
Outdated
| // TODO: Find a base image that has build-essentials installed, that would improve startup time significantly, and it would pin the build tools we're using. | ||
| textwrap.Dedent(` | ||
| #syntax=docker/dockerfile:1.10 | ||
| # OSS-Rebuild generated build instructions |
There was a problem hiding this comment.
this indentation here looks like it differs from the surrounding lines. may be a tabs vs spaces issue.
There was a problem hiding this comment.
Oh, that's unfortunate. I've pushed a fix.
pkg/rebuild/rebuild/rebuildremote.go
Outdated
| // TODO: Find a base image that has build-essentials installed, that would improve startup time significantly, and it would pin the build tools we're using. | ||
| textwrap.Dedent(` | ||
| #syntax=docker/dockerfile:1.10 | ||
| # OSS-Rebuild generated build instructions |
There was a problem hiding this comment.
@wbxyz mentioned the idea that we could use a PURL here which I thought had some nice properties. While a bit less human-readable, we'd get a bit more density and could probably fit the description comfortably into a single comment line.
Given that it'd be a bit more involved to implement, I'd be happy to merge this and to take on the change in a follow-on. What do you think @ryanwaite?
There was a problem hiding this comment.
A PURL would have some nice properties. I think it'd be great if you took on that work given how involved it is. If you wanted any feedback, please let me know. I'd be happy to help.
Summary
This PR adds informative header comments to all generated Dockerfiles to improve their self-documentation and make them easier to understand for maintainers, security auditors, and users.
Changes
Example Output
Before:
After:
Benefits
Testing