Transcript: WebAssembly News: Merging the wash CLI and SBOM Build Provenance
wasmCloud Weekly Community Call — Wed, Mar 5, 2025 · 16 minutes
Speakers: Brooks Townsend, Taylor Thomas, Masoud (wasmCloud OSS Fellow)
Transcript
Brooks Townsend 1:22
Hello everybody. Welcome to the wasmCloud community call for wasmCloud Wednesday — rather, for March 5 — coming at you from the office of Bailey Hayes. Today we have got a pretty quick agenda, just a couple of things that we want to touch base on, with outstanding pull requests in the wasmCloud org — some features and functionality that we've been working on. Some of us are on-site, essentially working and hacking together with much coffee and somewhat dark rooms, so we are pretty heads down, looking forward toward KubeCon EU.
So let me go ahead and share. It's not really a demo, but just something that Ahmed, one of the wasmCloud maintainers, has been working on over the past couple of weeks.
Basically, this effort has been ongoing for a little while. We've been trying to maintain a feature freeze on merging wash-lib and wash CLI. These are two separate crates in our Rust code, but by combining them, we will be able to release wash features and functionality a lot quicker, and we can release those actually under one singular crate. So it's great.
I just wanted to touch base here — thanks Taylor — on this, because thank you, Ahmed. Ahmed has done all of the hard work on this PR. We have run into a couple of little things, like we actually had a couple of issues basically in the main branch of this repository that we had to get a rebase done in order to bring those fixes over — like a library that had an incompatible license that we got fixed, and a couple of issues with an integration test for the HTTP client, things like that. So anyways, Ahmed has gone through and done the rebase, and we've been really diligent — we haven't been merging anything else to wash-lib or wash CLI for now. We're just going to keep that going until we can get this PR across the line. So I'm working with Ahmed on getting this done, just working through CI — everybody's favorite thing.
What it's going to look like after this PR lands is: we will be able to cut — I think essentially right before this PR lands, we would cut one last release of wash-lib and wash CLI, and then after this PR lands, we will just have a singular wash crate here under wasmCloud. Now, I don't think this will really affect anybody when it comes to how you install or run wash. It's still going to be a wash binary. You're still going to install it either via your package managers — we're going to deal with making that change. I guess all they would really change is if you're installing via Cargo: you would run cargo install wash instead of cargo install wash-cli. So little baby things here, but a good thing to get done nonetheless.
So in terms of the wash work, that's been moving along really well. As a reminder — oh, hey, there was the failed test, you can look at it as a reminder — this was something that we brainstormed and we've been working on as a part of our Q1 roadmap. So wash CLI and wash-lib getting merged is going very well.
We have Masoud, OSS Fellow, working on phase one of SBOM and build provenance for wasmCloud artifacts work, which is going really well. Masoud, is there anything you wanted to add on that note?
Masoud 5:36
Yeah, actually. In January, I learned that my assumption was wrong — or my understanding was wrong. I have updated, with the full details in the issue ticket, explaining what the situation is. So I developed a solution that is compatible with the existing pipeline. Level three, basically — the short of it is that level three requires isolation of the build and attestation, not just attestation. And because at the moment we're not able to isolate things that cleanly — it demands, it wants them to be reusable workflows and so on. So I designed something that is suitable for level two, and then I set up a repository to run wasmCloud component jobs and provider jobs and so on, with the modifications that are related to that.
So basically, we have an output to review. And then I added what the pros and cons are of the solution that I have implemented, because the main con is that it makes the pipeline — it's already complicated — it makes it more complicated, because there are a lot of injection points to make this work at the moment. At your pace — I know that at the moment you are very busy with the preparations — but I'm just saying that later on, this needs to be evaluated, and we decide: do we want to proceed with this, or do we want to hold off until we further improve the pipeline that we have, and then come back to this issue?
Brooks Townsend 7:49
Okay, yeah. It looks like there's a lot to — I'm kind of skimming this just to see if there was anything to talk about right now. But I think this would definitely be a good thing for us to review and talk about, Masoud. I would propose then that we can take this — I'll get this comment, or if you wanted to post this comment out in the wasmCloud Slack, it would be good at least for us to be able to review it asynchronously and then maybe talk about it. We could have this as the first discussion item in next week's community call, after we've had a chance to review. Do you think that's fair? Would you rather read through it now and just talk about some of the pros and cons?
Masoud 8:37
It's fine for next week, again, because this isn't the critical path of, let's say, any important features. It's something that we need eventually to implement, and we have to decide if that eventual time is now or is later. I'll post it in the Slack, as you suggested, and then you can take it from there.
Brooks Townsend 9:07
Yeah, thank you. That would be awesome. That sounds great. Why don't we take a little bit of time to review this one, and then — I hope that whatever we do, maybe we can make some improvements to the build pipeline so that this doesn't feel as complicated, or at least adding new things doesn't make it feel any more complex. Because I know that has definitely been a hard place to contribute — our build pipeline is complex, because we do a lot of complex things.
Masoud 9:45
And Brooks, by the way, I have mentioned in that response that I think I have observed a regression in the components build. It seems that we have reverted to the old format — for the components as OCI-packed packages.
Brooks Townsend 10:15
Interesting, okay. Yeah, let's take a look at that one. Taylor, off the top of your head — we are using, like, we should be using the Wasm image, like the recommendations from the Wasm working group for pushing OCI, like Wasm as OCI artifacts. Does that also prescribe a config media type, like we shouldn't be using our own still?
Taylor Thomas 10:50
Yeah, we're using the standard config type now. There might be some old stuff that's still drifting around out there that might have the old custom config type, but that config type is basically the core of that specification. So I think we're, like —
Masoud 11:06
Sorry, let me clarify. Actually, there are two issues. This might be the case that you're saying, Taylor, for the format, because I checked and the format was not compatible with artifact. But what I'm saying in terms of regression is that I saw that the latest images are being built with that "actor" something — something signature, the in-house formatting that you had before the OCI standard was announced.
Taylor Thomas 11:46
I don't even think the word "actor" appears in our code base anymore, except in some comments where it's like, "this used to be called actor." So I don't know why you'd be seeing that, but I don't think it's from the first tooling. So if you can find an example and send it our way, that'd be good to know. The thing that was created as part of the CNCF working group for it — and with the OCI folks — is OCI-artifact compliant, and then we're using that in the libraries that we have. So if something goes wrong there, send me an example of where you've seen that go wrong, and if you can figure out what or who pushed it, that'd be good so I can track that down. But as far as I know, that's not in our tooling.
Masoud 12:29
I am going to post one in a few minutes. Just carry on, and I'll grab one.
Brooks Townsend 12:42
Cool. Masoud, I'm glad that you noticed that. It's something that wouldn't come up, like, in the critical path often, but we should definitely figure out what's going on — or if it's an old version of wash that's getting pulled into the CI, or if we need to adjust what we're doing somewhere. So I'm glad that you noted that.
Masoud 13:09
The documentation claims that everything is OCI and so on, and then I just wanted to make sure that you're aware that something has happened.
Brooks Townsend 13:20
Yeah, thank you. All right, well, I think that that's actually all that I had on the community agenda for today. I didn't have a demo that I wanted to show, since we've just been kind of heads down getting some things done. The discussion, I think, is really quick — just kind of moving PRs across and keeping going on the roadmap for now. Since we're kind of at the end of the agenda, does anybody have any other topics that they'd like to bring up or talk about today in the community call?
Masoud 14:16
Can I ask — sorry, can I ask a quick question? I know the answer, but I want to confirm. I'm working on that internal client provider, the HTTP client provider, and I saw that you have recently added some experimental flag for the internal providers. So I assume that I should extend that to this one too, right?
Brooks Townsend 14:46
Yes, that would be great. I think it's like the built-in HTTP server — the same format for the built-in HTTP client would be great. The built-ins are something that we want to keep behind the experimental flag, so that we can really tease out the right use case for doing the built-ins, and make sure that it feels right, because it is definitely different than our discrete binary providers. So yeah, the built-in HTTP client, I think, should go behind the same context. Thanks.
All right, folks. Well, kind of a short one today, but that's all right — good one for a rainy day. Rainy here in North Carolina, I guess. We'll give everybody back a little bit of time and get back to hacking. Thanks everybody for coming to the community call and for watching and hanging out. We'll see you next week for wasmCloud Wednesday. Have a wasmCloud day. See you, everybody.
Taylor Thomas 16:10
Thank you. Good luck.
Brooks Townsend 16:11
Thank you.