| 1 |
On 2022-02-12 22:58, Michał Górny wrote: |
| 2 |
> On Fri, 2022-02-11 at 00:53 -0600, William Hubbs wrote: |
| 3 |
> > On Thu, Feb 10, 2022 at 07:27:15PM +0100, Andreas K. Huettel wrote: |
| 4 |
> > > > I just realized a down side to this approach, but I don't know how |
| 5 |
> > > > important that down side is. |
| 6 |
> > > > |
| 7 |
> > > > As the example shows, if a package has a vendor directory we would trust |
| 8 |
> > > > it so nothing would need to be done. If we have to run "go mod |
| 9 |
> > > > download", however, this populates the dependency cache from the |
| 10 |
> > > > internet. This means that a package that requires this could not be |
| 11 |
> > > > built if the building machine is not on the net. |
| 12 |
> > > |
| 13 |
> > > (hands William a golden potato) |
| 14 |
> > > |
| 15 |
> > > Congratulations, you've just rediscovered why we do the things the way |
| 16 |
> > > we're doing them now... |
| 17 |
> > |
| 18 |
> > And, you dropped my question at the end of this message, |
| 19 |
> > so let me bring it back. |
| 20 |
> > |
| 21 |
> > > I don't know how important this is, because it is true for any go |
| 22 |
> > > package without a vendor directory no matter how you build it. |
| 23 |
> > |
| 24 |
> > This could also apply to a rust or nodejs package. |
| 25 |
> > |
| 26 |
> > The build process for all of these languages has the potential to reach |
| 27 |
> > out to the net to download dependencies. |
| 28 |
> > |
| 29 |
> > Iam talking mostly about Go, because that's what I work with, but I know |
| 30 |
> > it isn't the only language that does this. |
| 31 |
> > |
| 32 |
> > In the list of solutions Robin put on this thread, I prefer the third |
| 33 |
> > group. That would involve the fetch_extra phase which would for go |
| 34 |
> > basically be "cd ${S} || die; go mod download || die" along with an |
| 35 |
> > environment variable that would put modules under distfiles. |
| 36 |
> > |
| 37 |
> > If you have an idea for a better solution, I'm willing to hear it. |
| 38 |
> > |
| 39 |
> |
| 40 |
> The "better solution" has already been provided -- repackage it. |
| 41 |
> All of your solutions solve only part of the problem, and usually |
| 42 |
> introduce more problems. The current distfile fetching solution works |
| 43 |
> well for over 99% of the Gentoo packages today (this is not "the 99%" |
| 44 |
> but actual numbers, more below). The problem is with Go, and Go needs |
| 45 |
> to be fixed (or worked around), and don't extend it to "theoretically |
| 46 |
> Rust or NodeJS" because they're nowhere close to how badly designed Go |
| 47 |
> ecosystem is. |
| 48 |
|
| 49 |
In addition to repackaging maintainers should ask upstream to include |
| 50 |
vendor directory in their release tarballs or VCS. It's as simple as |
| 51 |
running "go mod vendor". I think upstream will be scared enough with |
| 52 |
current ebuilds and manifests to do it :) |
| 53 |
|
| 54 |
Example of a project using vendor directory: |
| 55 |
https://github.com/42wim/matterbridge |
| 56 |
|
| 57 |
Its manifest is only one line and ebuild has no EGO_SUM and no issues |
| 58 |
with SRC_URI. |
| 59 |
https://git.sr.ht/~dblsaiko/ebuilds/tree/master/item/net-im/matterbridge/Manifest |
Archives