Netlify and Hugo Pipes

I just created this thread to funnel several channels’ discussions on the topic here.

FYI: Pending resolution of this Netlify issue it seems you have to commit your resources/ directory.

Any other questions concerns or welcomed tips, this is be the place to get attention :slight_smile:

I see the above sentence as “something painful”. I would say that the above would be a perfectly fine workflow for many, and I think currently the only secure workflow if you want to use SRI.

Also, in a normal Hugo site, you would:

  1. Design your pretty site.
  2. Spend the next year writing content for your site.

One could argue that rebuilding your unchanged assets on every little comma change inside /content is wasteful, and it also adds to the stuff you need to test/verify before you publish. This is, of course, even more true for theme – where the design should be considered something stable that you get for free.

1 Like

more like something I want to have the liberty to do or not do.

Well… I see some potential to let editors customize their theme/project’s assets using Hugo Pipes. So in this workflow, there’s no way to know when the assets will have to be rebuilt. Same goes with Page Bundle image processing.

I understand committing your resources/ is the right choice for many workflows, but is it for all? Honest question, I’m fairly uneducated on the subject.

Now that’s interesting. Why is that so if I may ask?

Surely not. But I see everyone talking about it as a workaround.

With SRI you tell people that “the code you now is about to run has not been tampered with.” It protects against https://en.wikipedia.org/wiki/Man-in-the-middle_attack

And to do that, you will probably want to calculate the hashes in a place there are known to be very few men in the middle. On some cloud server or in your office where you can do manual checks that the hash sum matches the content? And if you commit these stable /resources to GitHub you get Git’s sha256 as an additional layer: You can look at the SRI hash and know for sure that this is the v1.0.0 of your JS library. And knowing that it hasn’t changed also has some other nice side-effects: It limits the test-scope on releases.

1 Like

You might want this response here as well:

I guess I didn’t use the right search query before posting this thead :roll_eyes:

Thanks @TotallyInformation

1 Like

@bep thanks for clarifying on the SRI stuff!

1 Like

Netlify fixed the problem. For new projects that people set up on Netlify, this is not an issue anymore.

For existing projects you manually need to set Netlify to use a newer Ubuntu version. Here is the article that explains how to do it. No worries, it is not difficult. https://www.netlify.com/blog/2019/03/14/a-more-flexible-build-architecture-with-updated-linux/
After that you can safely include the resources/_gen folder in your .gitignore file (and remove them from git tracking).