Downloading Node and NPM deps via gclient sync.

Downloading Node and NPM deps via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

Discussion occurred at:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/H2IqgqwdUqs/yn_6_z0cDwAJ

BUG=673825
Review-Url: https://codereview.chromium.org/2574033002
Cr-Commit-Position: refs/heads/master@{#443777}
Committed: https://chromium.googlesource.com/chromium/src/+/cbee6ab37edb7df0d8d5354fd2af29e968f33e94

[dpapad, 2016-12-14 00:43:24]

Patchset #3 (id:40001) has been deleted

[dpapad, 2016-12-14 00:43:27]

Patchset #2 (id:20001) has been deleted

[dpapad, 2016-12-14 00:43:34]

Patchset #1 (id:1) has been deleted

[dpapad, 2016-12-14 01:10:17]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-12-14 01:10:46]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[dpapad, 2016-12-14 01:19:57]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-12-14 01:20:42]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[dpapad, 2016-12-14 01:24:01]

Description was changed from

==========
Add setup for downloading Node via gclient sync, WIP.

BUG=673825
==========

to

==========
Downloading Node via gclient sync.

This is necessary for WebUI.

BUG=673825
==========

[dpapad, 2016-12-14 01:26:20]

Description was changed from

==========
Downloading Node via gclient sync.

This is necessary for WebUI.

BUG=673825
==========

to

==========
Downloading Node via gclient sync.

This is necessary for WebUI to harness several Node based tools to speed up
performance (as well as remove generated code from the repository).

BUG=673825
==========

[dpapad, 2016-12-14 01:26:59]

Description was changed from

==========
Downloading Node via gclient sync.

This is necessary for WebUI to harness several Node based tools to speed up
performance (as well as remove generated code from the repository).

BUG=673825
==========

to

==========
Downloading Node via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

BUG=673825
==========

[dpapad, 2016-12-14 02:32:47]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-12-14 02:33:17]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-14 03:37:34]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-14 03:37:34]

Dry run: This issue passed the CQ dry run.

[dpapad, 2017-01-06 22:37:58]

Description was changed from

==========
Downloading Node via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

BUG=673825
==========

to

==========
Downloading Node and NPM deps via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

BUG=673825
==========

[dpapad, 2017-01-06 22:51:45]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-06 22:52:03]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[dpapad, 2017-01-07 01:04:48]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-07 01:05:26]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[dpapad, 2017-01-07 01:05:47]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-07 01:06:21]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[dpapad, 2017-01-07 01:12:03]

Description was changed from

==========
Downloading Node and NPM deps via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

BUG=673825
==========

to

==========
Downloading Node and NPM deps via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

Discussion occurred at:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/H2IqgqwdUqs/yn_6_...

BUG=673825
==========

[commit-bot: I haz the power, 2017-01-07 02:13:01]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-07 02:13:02]

Dry run: This issue passed the CQ dry run.

[Dirk Pranke, 2017-01-09 02:09:47]

dpranke@chromium.org changed reviewers:
+ dpranke@chromium.org

[Dirk Pranke, 2017-01-09 02:09:48]

This basically looks okay, except we need to know how to be able to recreate or
update these things.

https://codereview.chromium.org/2574033002/diff/240001/third_party/node/READM...
File third_party/node/README.chromium (right):

https://codereview.chromium.org/2574033002/diff/240001/third_party/node/READM...
third_party/node/README.chromium:3: URL: https://github.com/joyent/node
Not https://github.com/nodejs/node ?

https://codereview.chromium.org/2574033002/diff/240001/third_party/node/READM...
third_party/node/README.chromium:12: Node binary and NPM modules necessary for
buliding Chrome's WebUI.
You need to document how to recreate or re-retrieve the binaries and modules.

[dpapad, 2017-01-10 19:52:58]

Patchset #11 (id:260001) has been deleted

[dpapad, 2017-01-10 19:59:48]

dpapad@chromium.org changed reviewers:
+ dbeam@chromium.org, security@chromium.org

[dpapad, 2017-01-10 19:59:49]

dbeam: Feel free to suggest bash scripts improvements.

https://codereview.chromium.org/2574033002/diff/240001/third_party/node/READM...
File third_party/node/README.chromium (right):

https://codereview.chromium.org/2574033002/diff/240001/third_party/node/READM...
third_party/node/README.chromium:3: URL: https://github.com/joyent/node
On 2017/01/09 at 02:09:48, Dirk Pranke wrote:
> Not https://github.com/nodejs/node ?

Done.

https://codereview.chromium.org/2574033002/diff/240001/third_party/node/READM...
third_party/node/README.chromium:12: Node binary and NPM modules necessary for
buliding Chrome's WebUI.
On 2017/01/09 at 02:09:48, Dirk Pranke wrote:
> You need to document how to recreate or re-retrieve the binaries and modules.

Added two scripts in this CL, update_node_binaries.sh and update_npm_deps.sh. I
was initially planning to land those separately, to make this review easier.

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
File third_party/node/update_node_binaries.sh (right):

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
third_party/node/update_node_binaries.sh:24: tar cfz
${FOLDER}/node-darwin-x64.tar.gz ${FOLDER}/node-${NODE_VERSION}-darwin-x64/
FWIW, this command is not 100% deterministic (the output file has a different
sha1 hash every time). Not necessarily a problem, but if there is an easy way to
fix this it would be nice.

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
third_party/node/update_node_binaries.sh:62: sha1="$(sha1sum ${FOLDER}/node.exe
| cut -d ' ' -f1)"
Perhaps we should also compress node.exe? I did not initially do it because I
did not know if the download_from_google_storage.py --extract option would work
on windows (it does).

[scottchen, 2017-01-10 21:56:04]

scottchen@chromium.org changed reviewers:
+ scottchen@chromium.org

[scottchen, 2017-01-10 21:56:05]

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/npm_e...
File third_party/node/npm_exclude.txt (right):

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/npm_e...
third_party/node/npm_exclude.txt:8: *.png
would we run into issues excluding .png, .svg, and fonts if a front-end
library's trying to use them in its css? I'm thinking bootstrap icons as an
example.

[Dan Beam, 2017-01-10 22:03:28]

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/npm_e...
File third_party/node/npm_exclude.txt (right):

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/npm_e...
third_party/node/npm_exclude.txt:8: *.png
On 2017/01/10 21:56:05, scottchen wrote:
> would we run into issues excluding .png, .svg, and fonts if a front-end
> library's trying to use them in its css? I'm thinking bootstrap icons as an
> example.

but we're not doing that yet and this list can change to accommodate that if we
ever did (for some reason)

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
File third_party/node/update_node_binaries.sh (right):

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
third_party/node/update_node_binaries.sh:62: sha1="$(sha1sum ${FOLDER}/node.exe
| cut -d ' ' -f1)"
On 2017/01/10 19:59:49, dpapad wrote:
> Perhaps we should also compress node.exe? I did not initially do it because I
> did not know if the download_from_google_storage.py --extract option would
work
> on windows (it does).

i suspect that would not be useful

[Dan Beam, 2017-01-10 22:09:13]

you might want to start using python instead of shell for the update scripts.  i
wish i had in many places.  it'd also work [better?] on windows.

if you do decide to stick with shell, you should adhere to the shell style
guide:
https://google.github.io/styleguide/shell.xml

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
File third_party/node/update_node_binaries.sh (right):

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
third_party/node/update_node_binaries.sh:1: #!/bin/bash
copyright

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
File third_party/node/update_npm_deps.sh (right):

https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
third_party/node/update_npm_deps.sh:9: if [ -d "node_modules" ]; then
this should probably be based on the location of the script, not the current
working directory.

if you run this from src/ bad things could happen or something

[dpapad, 2017-01-10 22:35:13]

On 2017/01/10 at 22:09:13, dbeam wrote:
> you might want to start using python instead of shell for the update scripts. 
i wish i had in many places.  it'd also work [better?] on windows.
> 
> if you do decide to stick with shell, you should adhere to the shell style
guide:
> https://google.github.io/styleguide/shell.xml
> 
>
https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
> File third_party/node/update_node_binaries.sh (right):
> 
>
https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
> third_party/node/update_node_binaries.sh:1: #!/bin/bash
> copyright
> 
>
https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
> File third_party/node/update_npm_deps.sh (right):
> 
>
https://codereview.chromium.org/2574033002/diff/280001/third_party/node/updat...
> third_party/node/update_npm_deps.sh:9: if [ -d "node_modules" ]; then
> this should probably be based on the location of the script, not the current
working directory.
> 
> if you run this from src/ bad things could happen or something

I'll stick with bash for now (and address your bash related comments shortly). I
can migrate to python as a follow up. My priority is to get MD Settings
vulcanized, and these scripts are only useful to the few persons that will be
rolling NPM/Node binaries, so not worth blocking Settings vulcanization on this.

[dpapad, 2017-01-11 19:08:11]

Updated bash scripts to conform to the bash styleguide, as well as addressed
issue with being able to execute the scripts from any folder. PTAL.

[Dan Beam, 2017-01-11 19:09:37]

On 2017/01/11 19:08:11, dpapad wrote:
> Updated bash scripts to conform to the bash styleguide, as well as addressed
> issue with being able to execute the scripts from any folder. PTAL.

https://google.github.io/styleguide/shell.xml#File_Extensions

can we drop the .sh?

[dpapad, 2017-01-11 19:12:22]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-11 19:13:12]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[dpapad, 2017-01-11 19:17:31]

On 2017/01/11 at 19:09:37, dbeam wrote:
> On 2017/01/11 19:08:11, dpapad wrote:
> > Updated bash scripts to conform to the bash styleguide, as well as addressed
> > issue with being able to execute the scripts from any folder. PTAL.
> 
> https://google.github.io/styleguide/shell.xml#File_Extensions
> 
> can we drop the .sh?

Done.

[Dan Beam, 2017-01-11 20:17:50]

i didn't review the bash with an insanely fine-toothed comb because i doubt
there will be many running this

lgtm

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:28: rm ${FOLDER}/${FILENAME}
nit: in a couple cases you ask whether a directory or file exists before
deleting it.  why not just remove it unconditionally with -f?

rm -f "${FOLDER}/${FILENAME}"

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:103: sed -i
"s/\(chromium-nodejs\/\)\([0-9]\|\.\)\+/\1${NODE_VERSION:1}/" ../../DEPS
nit: can you use a different sed separator?  like sed 's@blah@blee@' (/ -> @). 
we don't get as much saw toothing.

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:103: sed -i
"s/\(chromium-nodejs\/\)\([0-9]\|\.\)\+/\1${NODE_VERSION:1}/" ../../DEPS
[0-9]\|\. could just be [0-9\.]

[palmer, 2017-01-11 20:43:47]

palmer@chromium.org changed reviewers:
+ palmer@chromium.org
- security@chromium.org

[palmer, 2017-01-11 20:44:39]

Note for the future: It's best to send a note to security@chromium.org about the
CL, but to CC specific security reviewers. I'll take a look at this today.

[palmer, 2017-01-11 20:53:51]

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:28: rm ${FOLDER}/${FILENAME}
> rm -f "${FOLDER}/${FILENAME}"

It's crucial to use the quotes, by the way, to avoid shell injection attacks
from file names. If a file were named "foo.txt; rm -rf ~" we'd be sad. :)

It might be the case that these variables have values that we know are safe just
from reading the code/statically; but I find it best to make it a habit to use
the quotes so that you are always safe.

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:30: wget -P ${FOLDER}/ ${URL}
Same thing here:

    wget -P "${FOLDER}/" "${URL}"

and throughout this script.

If you want to know wayyyy more than you ever wanted to know, this is fun:
http://www.dwheeler.com/essays/filenames-in-shell.html

[Dan Beam, 2017-01-11 20:58:58]

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:28: rm ${FOLDER}/${FILENAME}
On 2017/01/11 20:53:51, palmer wrote:
> > rm -f "${FOLDER}/${FILENAME}"
> 
> It's crucial to use the quotes, by the way, to avoid shell injection attacks
> from file names. If a file were named "foo.txt; rm -rf ~" we'd be sad. :)
> 
> It might be the case that these variables have values that we know are safe
just
> from reading the code/statically; but I find it best to make it a habit to use
> the quotes so that you are always safe.

yeah, this is one of the things i didn't mention but always do myself. sorry!

[dpapad, 2017-01-11 21:58:10]

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:28: rm ${FOLDER}/${FILENAME}
On 2017/01/11 at 20:17:50, Dan Beam wrote:
> nit: in a couple cases you ask whether a directory or file exists before
deleting it.  why not just remove it unconditionally with -f?
> 
> rm -f "${FOLDER}/${FILENAME}"

Done.

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:28: rm ${FOLDER}/${FILENAME}
On 2017/01/11 at 20:58:58, Dan Beam wrote:
> On 2017/01/11 20:53:51, palmer wrote:
> > > rm -f "${FOLDER}/${FILENAME}"
> > 
> > It's crucial to use the quotes, by the way, to avoid shell injection attacks
> > from file names. If a file were named "foo.txt; rm -rf ~" we'd be sad. :)
> > 
> > It might be the case that these variables have values that we know are safe
just
> > from reading the code/statically; but I find it best to make it a habit to
use
> > the quotes so that you are always safe.
> 
> yeah, this is one of the things i didn't mention but always do myself. sorry!

Done.

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:30: wget -P ${FOLDER}/ ${URL}
On 2017/01/11 at 20:53:51, palmer wrote:
> Same thing here:
> 
>     wget -P "${FOLDER}/" "${URL}"
> 
> and throughout this script.
> 
> If you want to know wayyyy more than you ever wanted to know, this is fun:
http://www.dwheeler.com/essays/filenames-in-shell.html

Done.

https://codereview.chromium.org/2574033002/diff/320001/third_party/node/updat...
third_party/node/update_node_binaries:103: sed -i
"s/\(chromium-nodejs\/\)\([0-9]\|\.\)\+/\1${NODE_VERSION:1}/" ../../DEPS
On 2017/01/11 at 20:17:50, Dan Beam wrote:
> [0-9]\|\. could just be [0-9\.]

Done and done.

[dpapad, 2017-01-11 22:15:02]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-11 22:16:26]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-11 22:22:27]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-11 22:22:28]

Dry run: Try jobs failed on following builders:
  android_arm64_dbg_recipe on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_arm6...)
  android_clang_dbg_recipe on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_clan...)
  mac_chromium_compile_dbg_ng on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...)

[dpapad, 2017-01-11 22:37:09]

The CQ bit was checked by dpapad@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-11 22:37:58]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-12 00:04:24]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-12 00:04:25]

Dry run: This issue passed the CQ dry run.

[Dirk Pranke, 2017-01-12 03:07:05]

Hi all,

I haven't been able to get to this yet, my apologies!

I will try to get to it by tomorrow.

[dpapad, 2017-01-13 00:30:51]

@palmer ping. Is there anything else to address related to security?

[palmer, 2017-01-13 01:02:28]

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
third_party/node/update_node_binaries:28: wget -P "${FOLDER}/" "${URL}"
Might be good to check if wget fails, for whatever reason (including failure to
check the nodejs.org HTTPS certificate). 1 thing you can do is

    set -e

at the top of the script, to have it just bail out on the first error. If you
don't want to do that you can just do the usual

    if ! wget ...; then
      exit 1
    fi

or whatever.

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
third_party/node/update_node_binaries:41: echo "${sha1}" >
"${FOLDER}/node-${SUFFIX}.tar.gz.sha1"
Maybe check the checksum that Node distributes? E.g.
https://nodejs.org/dist/latest-v6.x/SHASUMS256.txt.

If gsutil needs SHA-1, it's ok to use that, but we should at least do the
minimal check before assuming that the archive we got is good.

It'd be even better if we could get the archive and the SHA-256s from different
sources, in case 1 or the other gets compromised. (The real solution to this
problem is Binary Transparency, but for now let's just dot our i's and cross our
t's.)

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
third_party/node/update_node_binaries:77:
#######################################
Nit: I'd argue these comment blocks are unnecessary; the function names explain
themselves well enough.

[Dirk Pranke, 2017-01-13 01:40:43]

lgtm.

[M-A Ruel, 2017-01-13 02:25:03]

maruel@chromium.org changed reviewers:
+ maruel@chromium.org

[M-A Ruel, 2017-01-13 02:25:04]

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
third_party/node/update_node_binaries:28: wget -P "${FOLDER}/" "${URL}"
On 2017/01/13 01:02:27, palmer wrote:
> Might be good to check if wget fails, for whatever reason (including failure
to
> check the http://nodejs.org HTTPS certificate). 1 thing you can do is
> 
>     set -e
> 
> at the top of the script, to have it just bail out on the first error. If you
> don't want to do that you can just do the usual
> 
>     if ! wget ...; then
>       exit 1
>     fi
> 
> or whatever.

I highly recomment "set -eu". It's more annoying to write the script when you
expect subcommands to normally exit non zero but it's much safer.

[dpapad, 2017-01-13 03:28:10]

Addressed comments. PTAL.

Also, after looking at the SHA256SUM file I realized that there was a gz binary
available for Linux (instead of the xz I was using before), so I was able to
merge update_linux and update_mac to a single method (now taking two
parameters).

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
third_party/node/update_node_binaries:28: wget -P "${FOLDER}/" "${URL}"
On 2017/01/13 at 02:25:04, M-A Ruel wrote:
> On 2017/01/13 01:02:27, palmer wrote:
> > Might be good to check if wget fails, for whatever reason (including failure
to
> > check the http://nodejs.org HTTPS certificate). 1 thing you can do is
> > 
> >     set -e
> > 
> > at the top of the script, to have it just bail out on the first error. If
you
> > don't want to do that you can just do the usual
> > 
> >     if ! wget ...; then
> >       exit 1
> >     fi
> > 
> > or whatever.
> 
> I highly recomment "set -eu". It's more annoying to write the script when you
expect subcommands to normally exit non zero but it's much safer.

Done.

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
third_party/node/update_node_binaries:41: echo "${sha1}" >
"${FOLDER}/node-${SUFFIX}.tar.gz.sha1"
On 2017/01/13 at 01:02:28, palmer wrote:
> Maybe check the checksum that Node distributes? E.g.
https://nodejs.org/dist/latest-v6.x/SHASUMS256.txt.
> 
> If gsutil needs SHA-1, it's ok to use that, but we should at least do the
minimal check before assuming that the archive we got is good.
> 
> It'd be even better if we could get the archive and the SHA-256s from
different sources, in case 1 or the other gets compromised. (The real solution
to this problem is Binary Transparency, but for now let's just dot our i's and
cross our t's.)

It's download_from_google_storage script that requires SHA1 (see
https://cs.chromium.org/chromium/tools/depot_tools/download_from_google_stora...
and all over that file).

I added checks to ensure that the downloaded binaries match the SHA256 hashes.

https://codereview.chromium.org/2574033002/diff/380001/third_party/node/updat...
third_party/node/update_node_binaries:77:
#######################################
On 2017/01/13 at 01:02:27, palmer wrote:
> Nit: I'd argue these comment blocks are unnecessary; the function names
explain themselves well enough.

Removed.

[Dan Beam, 2017-01-13 03:34:12]

still lgtm

https://codereview.chromium.org/2574033002/diff/400001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/400001/third_party/node/updat...
third_party/node/update_node_binaries:70: echo $sha256_expected $sha256_actual
debug statement?

[dpapad, 2017-01-13 03:36:29]

https://codereview.chromium.org/2574033002/diff/400001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/400001/third_party/node/updat...
third_party/node/update_node_binaries:70: echo $sha256_expected $sha256_actual
On 2017/01/13 at 03:34:12, Dan Beam wrote:
> debug statement?

Removed.

[M-A Ruel, 2017-01-13 14:17:54]

rs lgtm

[palmer, 2017-01-13 20:56:28]

LGTM % nits and quotes

https://codereview.chromium.org/2574033002/diff/420001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/420001/third_party/node/updat...
third_party/node/update_node_binaries:31: sha256_expected="$(cat SHASUMS256.txt
| grep ${FILENAME} | cut -d ' ' -f1)"
You can shorten this to

    sha256_expected="$(grep ${FILENAME} SHASUMS256.txt | cut -d ' ' -f1)"

I think it might be best to quote the file name, too; and the curly braces are
unnecessary here:

    sha256_expected="$(grep "$FILENAME" SHASUMS256.txt | cut -d ' ' -f1)"

https://codereview.chromium.org/2574033002/diff/420001/third_party/node/updat...
third_party/node/update_node_binaries:32: local sha256_actual
Nit: FWIW, you can combine the declaration and the definition:

    local sha256_actual=...

https://codereview.chromium.org/2574033002/diff/420001/third_party/node/updat...
third_party/node/update_node_binaries:33: sha256_actual="$(sha256sum
${FOLDER}/${FILENAME} | cut -d ' ' -f1)"
Quotes here too, I think.

[dpapad, 2017-01-13 22:35:15]

https://codereview.chromium.org/2574033002/diff/420001/third_party/node/updat...
File third_party/node/update_node_binaries (right):

https://codereview.chromium.org/2574033002/diff/420001/third_party/node/updat...
third_party/node/update_node_binaries:31: sha256_expected="$(cat SHASUMS256.txt
| grep ${FILENAME} | cut -d ' ' -f1)"
On 2017/01/13 at 20:56:27, palmer wrote:
> You can shorten this to
> 
>     sha256_expected="$(grep ${FILENAME} SHASUMS256.txt | cut -d ' ' -f1)"
> 
> I think it might be best to quote the file name, too; and the curly braces are
unnecessary here:
> 
>     sha256_expected="$(grep "$FILENAME" SHASUMS256.txt | cut -d ' ' -f1)"

Done.

https://codereview.chromium.org/2574033002/diff/420001/third_party/node/updat...
third_party/node/update_node_binaries:32: local sha256_actual
On 2017/01/13 at 20:56:27, palmer wrote:
> Nit: FWIW, you can combine the declaration and the definition:
> 
>     local sha256_actual=...

I am following the styleguide, which says:
"Declare function-specific variables with local. Declaration and assignment
should be on different lines."

See,
https://google.github.io/styleguide/shell.xml?showone=Use_Local_Variables#Use....

https://codereview.chromium.org/2574033002/diff/420001/third_party/node/updat...
third_party/node/update_node_binaries:33: sha256_actual="$(sha256sum
${FOLDER}/${FILENAME} | cut -d ' ' -f1)"
On 2017/01/13 at 20:56:28, palmer wrote:
> Quotes here too, I think.

Done.

[Dan Beam, 2017-01-13 23:04:00]

Description was changed from

==========
Downloading Node and NPM deps via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

Discussion occurred at:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/H2IqgqwdUqs/yn_6_...

BUG=673825
==========

to

==========
Downloading Node and NPM deps via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

Discussion occurred at:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/H2IqgqwdUqs/yn_6_...

BUG=673825
==========

[Dan Beam, 2017-01-13 23:04:00]

dbeam@chromium.org changed reviewers:
- scottchen@chromium.org

[dpapad, 2017-01-14 01:34:45]

FYI open source licensing review completed.

[dpapad, 2017-01-14 01:44:39]

The CQ bit was checked by dpapad@chromium.org

[dpapad, 2017-01-14 01:44:40]

The patchset sent to the CQ was uploaded after l-g-t-m from
dpranke@chromium.org, dbeam@chromium.org, palmer@chromium.org,
maruel@chromium.org
Link to the patchset: https://codereview.chromium.org/2574033002/#ps440001
(title: "Nits.")

[commit-bot: I haz the power, 2017-01-14 01:45:03]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-14 01:49:09]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-14 01:49:11]

Try jobs failed on following builders:
  android_arm64_dbg_recipe on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_arm6...)
  android_compile_dbg on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_comp...)
  chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)
  linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[dpapad, 2017-01-14 01:55:36]

The CQ bit was checked by dpapad@chromium.org

[dpapad, 2017-01-14 01:55:37]

The patchset sent to the CQ was uploaded after l-g-t-m from palmer@chromium.org,
dpranke@chromium.org, dbeam@chromium.org, maruel@chromium.org
Link to the patchset: https://codereview.chromium.org/2574033002/#ps460001
(title: "Add missing sha1 file.")

[commit-bot: I haz the power, 2017-01-14 01:55:56]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-14 03:06:00]

CQ is committing da patch.

Bot data: {"patchset_id": 460001, "attempt_start_ts": 1484358936935960,
"parent_rev": "85990128f90e66efb2d1a83caeca578ab93c275e", "commit_rev":
"cbee6ab37edb7df0d8d5354fd2af29e968f33e94"}

[commit-bot: I haz the power, 2017-01-14 03:06:33]

Description was changed from

==========
Downloading Node and NPM deps via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

Discussion occurred at:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/H2IqgqwdUqs/yn_6_...

BUG=673825
==========

to

==========
Downloading Node and NPM deps via gclient sync.

This is necessary for WebUI to harness several Node based tools
to speed up performance, as well as remove generated code that is
currently checked in as source code.

Discussion occurred at:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/H2IqgqwdUqs/yn_6_...

BUG=673825

Review-Url: https://codereview.chromium.org/2574033002
Cr-Commit-Position: refs/heads/master@{#443777}
Committed:
https://chromium.googlesource.com/chromium/src/+/cbee6ab37edb7df0d8d5354fd2af...
==========

[commit-bot: I haz the power, 2017-01-14 03:06:35]

Committed patchset #20 (id:460001) as
https://chromium.googlesource.com/chromium/src/+/cbee6ab37edb7df0d8d5354fd2af...

[Wez, 2017-02-07 19:52:42]

wez@chromium.org changed reviewers:
+ sky@chromium.org

[Wez, 2017-02-07 19:52:44]

Hallo sky@chromium.org!
Due to a depot_tools patch which mistakenly removed the OWNERS check for
non-source files (see crbug.com/684270), the following files landed in this CL
and need a retrospective review from you:
	third_party/node/LICENSE
	third_party/node/OWNERS
	third_party/node/README.chromium
	third_party/node/linux/node-linux-x64.tar.gz.sha1
	third_party/node/mac/node-darwin-x64.tar.gz.sha1
	third_party/node/node_modules.tar.gz.sha1
	third_party/node/npm_exclude.txt
	third_party/node/package.json
	third_party/node/update_node_binaries
	third_party/node/update_npm_deps
	third_party/node/win/node.exe.sha1
Thanks,
Wez