| 1 |
On 06/30/2015 08:35 AM, William Hubbs wrote: |
| 2 |
> All, |
| 3 |
> |
| 4 |
> we have digressed a bit, so I want to bring the discussion back to what |
| 5 |
> my main concerns are about this issue. |
| 6 |
> |
| 7 |
> 1. Should we bundle Go packages with Go software? |
| 8 |
> |
| 9 |
> If we do, except for the Go standard library which is part of |
| 10 |
> dev-lang/go, do we need to bother with installing Go sources and |
| 11 |
> packages at all? |
| 12 |
> |
| 13 |
> The down side of the whole bundling idea is that every consumer |
| 14 |
> on someone's system could potentially have a different version of the |
| 15 |
> Go package, which doesn't lend itself well to security concerns. |
| 16 |
> |
| 17 |
> This is why bundling is generally discouraged in Gentoo. |
| 18 |
|
| 19 |
Yes, as a general rule, bundling is sub-optimal. However, there are |
| 20 |
often exceptions to general rules like these, especially when there are |
| 21 |
competing concerns to contend with. |
| 22 |
|
| 23 |
> Also, if we bundle, most of dev-go/* doesn't need to exist because these |
| 24 |
> libraries would be bundled into and statically linked into the software |
| 25 |
> that needs them. |
| 26 |
|
| 27 |
Some static libraries are commonly used enough that it might be |
| 28 |
reasonable to install them. Alternatively, we might invent a notion of |
| 29 |
having one ebuild execute another ebuild in order to install static |
| 30 |
dependencies into a temporary build directory. |
| 31 |
|
| 32 |
> 2. How should we bundle? |
| 33 |
> |
| 34 |
> This is where my concern about consul and some other ebuilds comes in. |
| 35 |
> |
| 36 |
> The way the consul ebuild is written (putting the commit hashes of |
| 37 |
> dependencies in SRC_URI) assumes that all of the dependencies will stay |
| 38 |
> on github. This makes the ebuild far less flexable than go itself is. |
| 39 |
|
| 40 |
Agreed. However, there's no rule which says that we have to force all |
| 41 |
ebuilds to fit into common templates. |
| 42 |
|
| 43 |
> If we are going to bundle, I would rather have one tarball that includes |
| 44 |
> all of the sources for consul and the dependent libraries dropped on the |
| 45 |
> Gentoo mirrors. Such a tarball is very easy to create. |
| 46 |
|
| 47 |
I would prefer to use separate tarballs for each dependency, preferably |
| 48 |
with the commit hash encoded in the tarball name. This makes the ebuild |
| 49 |
dependencies transparent in the sense that the commit hashes of the |
| 50 |
dependencies are readily available. The "one big tarball" is opaque |
| 51 |
rather than transparent, and it will have a tendency bloat the mirrors. |
| 52 |
By keeping the dependencies in separate tarballs, we can easily do a |
| 53 |
revbump that updates a subset of the dependencies, without having to |
| 54 |
re-pack everything into a big bloated tarball. |
| 55 |
-- |
| 56 |
Thanks, |
| 57 |
Zac |
Archives