This Week #8: Secrets + Auth Cleanup, Deploying Search w/ Devbox, New Release

This week from the Jetpack team: releasing Devbox 0.5.14, polishing our UI for the upcoming Secrets beta, testing Devbox Deploys with Nixhub.


This week, I focused on refining our user login, organization creation, and member invitation processes. We are prepping to launch envsec to a wider crowd! I also dedicated the last two days to crafting the appshell and navigation menu for the Jetpack Cloud dashboard. We should be all set to dive into projects and payments next.


Last week was cleanup week so I mainly focused on finishing up the work on deployments project from the last two weeks. The work got prolonged due to changes in database, and design decisions. But I managed to finish up most of the work. That is, implementing an SDK-style importable package to save and fetch deployment settings which will be used in our github webhook listener. As well as implementing an HTTP API wrapper around it. I’m hoping this week we can clean up the last bits and have an end to end demo for our deployments project.


We are between cycles this week, so I worked with Daniel to prioritize the list of upcoming features and user requests for the next cycle. I'm looking forward to kicking of some early beta testing of our Secrets product this cycle, and releasing 0.6.0 this week with faster package installs.

I also published our latest 0.5.14 release, which includes several bug fixes reported by our community. We expect this to be the last release for the 0.5 series, and look forward to releasing some bigger features as part of 0.6 onward.


This week was mostly polish and miscellaneous Devbox bug fixes, plus improvements to the Nixhub index and service reliability. Nixhub and Devbox search should now detect and prioritize installing pre-built packages from the Nix binary cache. I did get to experiment a little bit with the macOS Virtualization Framework to see if it would work well with certain Devbox use-cases. It’s pretty slick how easy it makes running full macOS or Linux VMs locally.


Worked on a bunch of final details on envsec. Finished the refresh logic for auth tokens and merged that into our auth library and released the latest envsec version. We improved the Devbox integration by automatically adding envsec to path and allowing you to use envsec commands through devbox run even if you’ve never installed envsec. I’m pretty excited about this integration and we should start dogfooding it this week!

In non-envsec projects, I worked on a few dependency management flags in devbox that should make monorepos a much more enjoyable experience. Added a new and experimental --sync-lock flag that causes all identical keys in lockfiles to resolve to the same dependency. Also added a new update --all-projects flag that recursively updates dependencies in all devbox projects under a given working directory. Both of these will make managing multiple projects much nicer!


Aside from travel, which has taken some of my time this week and next week, I mostly focused on planning.I led the team's brainstorming on next projects to focus on so we can start narrowing down next cycle, and spent time w/ John dogfooding and creating a friction log of our secrets solution.


This past week I mainly focused on getting our search service to be deployed with our deployments product. I have some work-in-progress related to setting rules for deciding when to deploy (e.g. what branches, which files), which I hope to merge soon. I also worked on adding some basic http scaffolding that includes auth token validation so that we can expose http endpoints that we can use when building a dashboard/UI on top of it.


This past week, I cleaned up my prototype code for resolving glibc-dynamic-linking problems. Unfortunately, I got stuck with the Nix language, and will be circling back to it this week to get unstuck.

In the meantime, John reported a heisenbug issue with running devbox run build: Sometimes the bug would repro, other times not. I spent quite some time investigating it, and discovered the source was a recent refactor with the bash nix package. As a result, previously, it would install shand bash binaries but now it doesn't by default. The installed binaries changed based on the version of the package installed.

Once I could reliably reproduce the issue, the underlying cause was that we were not correctly handling nested devbox shellenvs of different devbox projects (you can consider devbox global as its devbox project). An update to one of the devbox projects could drop PATH elements of the other projects. The fix involved adding an internal notion of a "path stack." The path stack knows which devbox-projects are active in the PATH and tracks their path fragments separately. It can then re-build PATH from each of these fragments. An update to a devbox project would then only affect that devbox project's path fragment without affecting the other projects' path fragments or the priority in which they appear in PATH.