Building Erlang Projects Offline

[Oliver Korpilla]

For our mixed Erlang/elixir environment we also have an offline
requirement. Because our continuous integration should not simply stall
because some server anywhere in the world we have no influence on dies.

Initially we mirrored the project releases we were using on internal
servers but that was shelved.

Right now we use fixed revisions of all our dependencies, including the
aforementioned binary rebar3 off of AWS to build our Erlang
dependencies, and we configure mix accordingly to use all dependencies
from local.

We're also supplying a fixed version of elixir's package manager hex by
supplying a pre-made home directory for build purposes.

Frankly, this whole "package management by default" is a real hassle if
you want to go offline. The hoops I had to jump through so that nothing
gets downloaded from the internet were more effort than we ever anticipated.

Oliver

On 21.02.2022 15:08, Mikael Pettersson wrote:
> On Sun, Feb 20, 2022 at 11:11 PM Viktor Söderqvist
> <viktor@REDACTED> wrote:
>> Why would you want to do that anyway? And why does anyone want a build
>> environment to be offline? Well, automatically downloading and running
>> any code that you haven't proof-read and approved in advance can be
>> regarded a security issue.
> +1
>
> We maintain our own internal mirrors of whatever 3rd party software we
> might depend on, and build machines are only able to access those, not
> the Internet. Yes it does require tweaks to rebar.config but the
> alternative of just pulling stuff off the Internet is simply not an
> option. (All our environments are network-isolated, not just build
> nodes.)

--
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus