| 1 |
On Thu, Feb 10, 2022 at 07:27:15PM +0100, Andreas K. Huettel wrote: |
| 2 |
> > I just realized a down side to this approach, but I don't know how |
| 3 |
> > important that down side is. |
| 4 |
> > |
| 5 |
> > As the example shows, if a package has a vendor directory we would trust |
| 6 |
> > it so nothing would need to be done. If we have to run "go mod |
| 7 |
> > download", however, this populates the dependency cache from the |
| 8 |
> > internet. This means that a package that requires this could not be |
| 9 |
> > built if the building machine is not on the net. |
| 10 |
> |
| 11 |
> (hands William a golden potato) |
| 12 |
> |
| 13 |
> Congratulations, you've just rediscovered why we do the things the way |
| 14 |
> we're doing them now... |
| 15 |
|
| 16 |
And, you dropped my question at the end of this message, |
| 17 |
so let me bring it back. |
| 18 |
|
| 19 |
> I don't know how important this is, because it is true for any go |
| 20 |
> package without a vendor directory no matter how you build it. |
| 21 |
|
| 22 |
This could also apply to a rust or nodejs package. |
| 23 |
|
| 24 |
The build process for all of these languages has the potential to reach |
| 25 |
out to the net to download dependencies. |
| 26 |
|
| 27 |
Iam talking mostly about Go, because that's what I work with, but I know |
| 28 |
it isn't the only language that does this. |
| 29 |
|
| 30 |
In the list of solutions Robin put on this thread, I prefer the third |
| 31 |
group. That would involve the fetch_extra phase which would for go |
| 32 |
basically be "cd ${S} || die; go mod download || die" along with an |
| 33 |
environment variable that would put modules under distfiles. |
| 34 |
|
| 35 |
If you have an idea for a better solution, I'm willing to hear it. |
| 36 |
|
| 37 |
William |
Archives