Yarn package building issue

nebulon

Apparently the key for the debian yarn package repo is expired and thus all packages which use apt update will fail to build with:

W: GPG error: http://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
E: The repository 'http://dl.yarnpkg.com/debian stable InRelease' is not signed.

The workaround for this is mentioned at https://github.com/yarnpkg/yarn/issues/7866
Add the following to the package Dockerfile prior to apt update:

RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

We have to update the base image to resolve this properly.

mehdi

@nebulon Why do you guys install yarn with apt, instead of installing it with npm, in the base image ?

nebulon

Good question, I am not sure anymore. So that is also up for investigation with the pending new base image

jimcavoli

Yeah, wherever I need yarn, I'm installing it via npm and often actually installing particular node versions directly as well in my packagings. IMO we're reaching a scale of seriously diminishing returns, and frequently apps now are including the versions they need in the actual source in asdf .tool-versions or similar files. I specifically try to automate the runtime selection/installation at build time when this information is available from the app - it increases compatibility to be more specific, if taking a hit on container bloat since it often doubles up on base image contents.

robi

consider running things thru docker-slim to minify the images.

girish

I will remove the apt installation and make it npm installation because that's what upstream recommends - https://classic.yarnpkg.com/en/docs/install/#debian-stable