Skip to content

LCORE-1356: Hermetic build demo slides #1331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tisnik merged 1 commit into from
Mar 17, 2026
Merged

LCORE-1356: Hermetic build demo slides #1331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions docs/demos/lcore/cve_hermetic_build.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">

@coderabbitai coderabbitai Bot Mar 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Remove user-scalable=no to avoid blocking zoom accessibility.

Line 5 disables user zoom, which is an accessibility blocker in browser/mobile contexts.

Suggested fix 
-        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docs/demos/lcore/cve_hermetic_build.html` at line 5, Update the viewport meta
tag to allow user zoom by removing the user-scalable=no directive (e.g., adjust
the existing meta viewport tag used in the page). Locate the meta viewport
element (the <meta name="viewport" ...> tag) and either remove the user-scalable
parameter or set it to allow scaling so zoom is not disabled for accessibility.

<title>Fixing CVEs in hermetic build environment</title>
<link rel="stylesheet" href="dist/reset.css">
<link rel="stylesheet" href="dist/reveal.css">
<link rel="stylesheet" href="dist/theme/simple.css">
<!--link rel="stylesheet" href="plugin/highlight/monokai.css"-->
<link rel="stylesheet" href="plugin/highlight/github.css">
</head>
<body>
<div class="reveal">
<div class="slides">
<section data-markdown="cve_hermetic_build.md">
</section>
</div>
</div>
<script type="application/javascript" src="dist/reveal.js"></script>
<script type="application/javascript" src="plugin/notes/notes.js"></script>
<script type="application/javascript" src="plugin/markdown/markdown.js"></script>
<script type="application/javascript" src="plugin/highlight/highlight.js"></script>
<script type="application/javascript">
Reveal.initialize({
controls: true,
progress: true,
history: true,
center: true,
plugins: [ RevealMarkdown, RevealHighlight ]
});
</script>
</body>
</html>

54 changes: 54 additions & 0 deletions docs/demos/lcore/cve_hermetic_build.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Lightspeed Core

![LCORE](images/lcore.jpg)

---

# Fixing CVEs in hermetic build environment

Pavel Tišnovský,
ptisnovs@redhat.com

---

## Hermetic build

* Downloads all sdists
* Network is disabled
* All packages are built w/o network access
* Results will be added into the dest. image

---

## Types of packages

* With sources (sdist)
* With sources, but with time consuming build

@coderabbitai coderabbitai Bot Mar 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Hyphenate compound adjective for clarity.

Line 26 should use “time-consuming build”.

🧰 Tools
🪛 LanguageTool

[grammar] ~26-~26: Use a hyphen to join words.
Context: ...es (sdist) * With sources, but with time consuming build * Without sources (binar...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docs/demos/lcore/cve_hermetic_build.md` at line 26, The phrase "time
consuming build" in the bullet item should be corrected to the hyphenated
compound adjective "time-consuming build"; locate the text "time consuming
build" in the docs/demos/lcore/cve_hermetic_build.md bullet and replace it with
"time-consuming build" to improve clarity.

* Without sources (binary wheels)
* `pip` is special a bit

---

## Solution proposed by RH

* Standard Python registry
* RH Python registry with pre-built packages

---

## How to fix CVE?

* Package in PyPi?

@coderabbitai coderabbitai Bot Mar 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix package index capitalization (PyPI).

Line 41 uses PyPi; the standard name is PyPI.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docs/demos/lcore/cve_hermetic_build.md` at line 41, Replace the incorrect
capitalization "PyPi" with the standard "PyPI" in the markdown text;
specifically update the bullet text "* Package in PyPi?" to "* Package in PyPI?"
so the package index name is correctly capitalized.

- update lockfile + requirements file
- ETA - hours
* Package in RH Python registry
- ask on forum-aipcc
- exact workflow to be defined + refined
- ETA - days (!!!)
* `pip` package
- dunno ATM :(

Comment on lines +47 to +50

@coderabbitai coderabbitai Bot Mar 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Use neutral/professional wording for external-facing slides.

Lines 47–50 (days (!!!) and dunno ATM :() read informal and ambiguous; please replace with precise neutral status wording.

Suggested wording 
-* Package in RH Python registry
-    - ask on forum-aipcc
-    - exact workflow to be defined + refined
-    - ETA - days (!!!)
+* Package in RH Python registry
+    - ask on forum-aipcc
+    - exact workflow to be defined and refined
+    - ETA: days

-* `pip` package
-    - dunno ATM :(
+* `pip` package
+    - workflow TBD
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- ETA - days (!!!)
* `pip` package
- dunno ATM :(
- ETA: days
* `pip` package
- workflow TBD
🧰 Tools
🪛 LanguageTool

[style] ~47-~47: Using many exclamation marks might seem excessive (in this case: 3 exclamation marks for a text that’s 707 characters long)
Context: ... be defined + refined - ETA - days (!!!) * pip package - dunno ATM :( --...

(EN_EXCESSIVE_EXCLAMATION)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docs/demos/lcore/cve_hermetic_build.md` around lines 47 - 50, Replace the
informal/ambiguous phrases in the slide text — specifically the "days (!!!)" ETA
and "dunno ATM :(" pip package note — with neutral, professional status wording;
for example change the ETA to "ETA: TBD" or "ETA: pending" and change the pip
package line to "pip package: pending/under investigation" (or "TBD") so the
external-facing slides use precise, neutral language.

---

## Thank you

Loading