Building Erlang Projects Offline
Viktor Söderqvist
viktor@REDACTED
Sun Feb 20 23:11:05 CET 2022
On 2022-02-03 21:35, Tristan Sloughter wrote:
> There was an issue installing rebar3 or building a project with it? You
> can download the pre-built escript
> https://s3.amazonaws.com/rebar3/rebar3
> <https://s3.amazonaws.com/rebar3/rebar3> -- the only time you should
> need to go outside the internal network.
In certain corporations, downloading a binary in this way and using it
to build a business-critical system is out of the question. It's opening
up the system to Supply Chain Attacks, a topic that has received lots of
attention lately, for example in the US president Biden's executive
order 14028, Improving the nation's cybersecurity[1] and related NIST
publications[2].
What if s3.amazonaws.com is compromised in a way so that is it serves a
special version of rebar3 only to your build server and the normal
version to everybody else? Or what if your DNS server is compromised so
that you get a fake s3.amazonaws.com?
It turns out that there is no documented way to build rebar3 from source
code in an offline build environment. The _checkouts trick doesn't work
for bootstrapping. It is possible (although undocumented, so we can call
it a hack) to bootstrap rebar3 by first placing all the dependencies and
their dependencies under _build/default/lib/ prior to running the
bootstrap script.
Regarding using rebar3 for building software, it is true that it doesn't
download anything if all deps are available under _checkouts. Another
way to achieve this is to place your app and all the deps under lib/ in
the project directory. If any dependency is missing though, rebar3 will
attempt to download it. There is no way to stop this other than blocking
Internet access in the build environment.
Why would you want to do that anyway? And why does anyone want a build
environment to be offline? Well, automatically downloading and running
any code that you haven't proof-read and approved in advance can be
regarded a security issue.
Cheers,
Viktor
[1]:
https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity#p-54
[2]:
https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/software-supply-chain-security
> The only time rebar3 should be hitting the network is if you have
> dependencies for it to fetch.
>
> Is it hitting the network when it shouldn't or is it a case like you
> want it to use a local copy of dependencies?
>
> Tristan
>
> On Thu, Feb 3, 2022, at 13:03, Joseph Lloyd wrote:
>> I need a way of building Erlang apps and releases on an
>> internal corporate network that is intentionally isolated from the
>> internet. I have tried installing rebar3 without success so far.
>> Has anyone done this? Are there better ways of achieving offline
>> builds of erlang apps/releases?
>>
>> Thanks,
>>
>> Joseph
>
More information about the erlang-questions
mailing list