1 |
On Fri, 2019-01-18 at 22:22 +0000, James Le Cuirot wrote: |
2 |
> On Fri, 18 Jan 2019 21:13:34 +0100 |
3 |
> Michał Górny <mgorny@g.o> wrote: |
4 |
> |
5 |
> > So apparently 14.2% of dependencies allow any slot of OpenSSL which is |
6 |
> > most likely wrong, and 1.4% explicitly claim that's what the package |
7 |
> > wants. This could be valid only if e.g. the package supported multiple |
8 |
> > ABIs of OpenSSL libraries and used dlopen() with a few possible SONAMEs |
9 |
> > which I honestly doubt any of those packages is doing. |
10 |
> > |
11 |
> > In other words, 14.2% of dependencies on OpenSSL are plain wrong, |
12 |
> > and 6.4% are wrong in a way that isn't going to be reported by repoman. |
13 |
> > 1.4% of cases are using ':*' which probably indicates the developer |
14 |
> > decided to silence repoman without understanding how slot operators work |
15 |
> > which is a horrible thing from QA perspective. |
16 |
> > |
17 |
> > We also have a few cases that require specific OpenSSL subslot (e.g. |
18 |
> > forcing old version into :0 slot) but *none* actually using the binary |
19 |
> > compatibility slots. |
20 |
> |
21 |
> I have noticed this and more generally that slot operators are poorly |
22 |
> understood, which is frustrating. I was initially inclined to say that |
23 |
> I think the model still fits and we should educate devs better but... |
24 |
|
25 |
At some point you realize that the sheer amount of knowledge needed to |
26 |
contribute to Gentoo is just too large. You can't expect people to |
27 |
spend days (finding and) reading documentation for all the corner cases. |
28 |
I believe that if we can make something more obvious, we should go for |
29 |
it. |
30 |
|
31 |
> > Secondly, it is confusing to users. If we remove old versions and only |
32 |
> > keep binary compatibility slots, users can be easily tricked into |
33 |
> > installing them and being surprised it's not a complete package. If we |
34 |
> > keep old versions, we end up having different revisions of the same |
35 |
> > version in different slots which is also easily confused. |
36 |
> |
37 |
> I can't say I've ever seen this happen but I don't speak to many users. |
38 |
> I'll buy it. |
39 |
|
40 |
I don't know if it happens, to be honest. However, I'm going for |
41 |
the assumptions that there is no reason why a regular user would need to |
42 |
know the purpose or meaning of different version schemes and slotting |
43 |
on various packages. |
44 |
|
45 |
> What do you think? |
46 |
> |
47 |
> I'm on board as I have to deal with this a lot in games and I think |
48 |
> there were one or two more on my list to add. |
49 |
> |
50 |
> The only downside is that packages requiring what is currently the |
51 |
> latest version would need to be updated later, though I guess you could |
52 |
> use || instead. Take libpng, for example: |
53 |
> |
54 |
> > > ( =media-libs/libpng-1.6* media-libs/libpng-bin-compat:1.6 ) |
55 |
> |
56 |
> Or perhaps? |
57 |
> |
58 |
> > > ( media-libs/libpng:0/16 media-libs/libpng-bin-compat:1.6 ) |
59 |
> |
60 |
|
61 |
This happens with the current model as well, and I don't think '1.6*' |
62 |
solution is commonly applicable. For the less friendly cases, you need |
63 |
stuff like: |
64 |
|
65 |
|| ( dev-libs/openssl:0/0 dev-libs/openssl:1.0.0 ) |
66 |
|
67 |
which isn't very obvious either. |
68 |
|
69 |
-- |
70 |
Best regards, |
71 |
Michał Górny |