1 |
On 2022-02-12 22:58, Michał Górny wrote: |
2 |
> On Fri, 2022-02-11 at 00:53 -0600, William Hubbs wrote: |
3 |
> > On Thu, Feb 10, 2022 at 07:27:15PM +0100, Andreas K. Huettel wrote: |
4 |
> > > > I just realized a down side to this approach, but I don't know how |
5 |
> > > > important that down side is. |
6 |
> > > > |
7 |
> > > > As the example shows, if a package has a vendor directory we would trust |
8 |
> > > > it so nothing would need to be done. If we have to run "go mod |
9 |
> > > > download", however, this populates the dependency cache from the |
10 |
> > > > internet. This means that a package that requires this could not be |
11 |
> > > > built if the building machine is not on the net. |
12 |
> > > |
13 |
> > > (hands William a golden potato) |
14 |
> > > |
15 |
> > > Congratulations, you've just rediscovered why we do the things the way |
16 |
> > > we're doing them now... |
17 |
> > |
18 |
> > And, you dropped my question at the end of this message, |
19 |
> > so let me bring it back. |
20 |
> > |
21 |
> > > I don't know how important this is, because it is true for any go |
22 |
> > > package without a vendor directory no matter how you build it. |
23 |
> > |
24 |
> > This could also apply to a rust or nodejs package. |
25 |
> > |
26 |
> > The build process for all of these languages has the potential to reach |
27 |
> > out to the net to download dependencies. |
28 |
> > |
29 |
> > Iam talking mostly about Go, because that's what I work with, but I know |
30 |
> > it isn't the only language that does this. |
31 |
> > |
32 |
> > In the list of solutions Robin put on this thread, I prefer the third |
33 |
> > group. That would involve the fetch_extra phase which would for go |
34 |
> > basically be "cd ${S} || die; go mod download || die" along with an |
35 |
> > environment variable that would put modules under distfiles. |
36 |
> > |
37 |
> > If you have an idea for a better solution, I'm willing to hear it. |
38 |
> > |
39 |
> |
40 |
> The "better solution" has already been provided -- repackage it. |
41 |
> All of your solutions solve only part of the problem, and usually |
42 |
> introduce more problems. The current distfile fetching solution works |
43 |
> well for over 99% of the Gentoo packages today (this is not "the 99%" |
44 |
> but actual numbers, more below). The problem is with Go, and Go needs |
45 |
> to be fixed (or worked around), and don't extend it to "theoretically |
46 |
> Rust or NodeJS" because they're nowhere close to how badly designed Go |
47 |
> ecosystem is. |
48 |
|
49 |
In addition to repackaging maintainers should ask upstream to include |
50 |
vendor directory in their release tarballs or VCS. It's as simple as |
51 |
running "go mod vendor". I think upstream will be scared enough with |
52 |
current ebuilds and manifests to do it :) |
53 |
|
54 |
Example of a project using vendor directory: |
55 |
https://github.com/42wim/matterbridge |
56 |
|
57 |
Its manifest is only one line and ebuild has no EGO_SUM and no issues |
58 |
with SRC_URI. |
59 |
https://git.sr.ht/~dblsaiko/ebuilds/tree/master/item/net-im/matterbridge/Manifest |