1 |
On 06/30/2015 08:35 AM, William Hubbs wrote: |
2 |
> All, |
3 |
> |
4 |
> we have digressed a bit, so I want to bring the discussion back to what |
5 |
> my main concerns are about this issue. |
6 |
> |
7 |
> 1. Should we bundle Go packages with Go software? |
8 |
> |
9 |
> If we do, except for the Go standard library which is part of |
10 |
> dev-lang/go, do we need to bother with installing Go sources and |
11 |
> packages at all? |
12 |
> |
13 |
> The down side of the whole bundling idea is that every consumer |
14 |
> on someone's system could potentially have a different version of the |
15 |
> Go package, which doesn't lend itself well to security concerns. |
16 |
> |
17 |
> This is why bundling is generally discouraged in Gentoo. |
18 |
|
19 |
Yes, as a general rule, bundling is sub-optimal. However, there are |
20 |
often exceptions to general rules like these, especially when there are |
21 |
competing concerns to contend with. |
22 |
|
23 |
> Also, if we bundle, most of dev-go/* doesn't need to exist because these |
24 |
> libraries would be bundled into and statically linked into the software |
25 |
> that needs them. |
26 |
|
27 |
Some static libraries are commonly used enough that it might be |
28 |
reasonable to install them. Alternatively, we might invent a notion of |
29 |
having one ebuild execute another ebuild in order to install static |
30 |
dependencies into a temporary build directory. |
31 |
|
32 |
> 2. How should we bundle? |
33 |
> |
34 |
> This is where my concern about consul and some other ebuilds comes in. |
35 |
> |
36 |
> The way the consul ebuild is written (putting the commit hashes of |
37 |
> dependencies in SRC_URI) assumes that all of the dependencies will stay |
38 |
> on github. This makes the ebuild far less flexable than go itself is. |
39 |
|
40 |
Agreed. However, there's no rule which says that we have to force all |
41 |
ebuilds to fit into common templates. |
42 |
|
43 |
> If we are going to bundle, I would rather have one tarball that includes |
44 |
> all of the sources for consul and the dependent libraries dropped on the |
45 |
> Gentoo mirrors. Such a tarball is very easy to create. |
46 |
|
47 |
I would prefer to use separate tarballs for each dependency, preferably |
48 |
with the commit hash encoded in the tarball name. This makes the ebuild |
49 |
dependencies transparent in the sense that the commit hashes of the |
50 |
dependencies are readily available. The "one big tarball" is opaque |
51 |
rather than transparent, and it will have a tendency bloat the mirrors. |
52 |
By keeping the dependencies in separate tarballs, we can easily do a |
53 |
revbump that updates a subset of the dependencies, without having to |
54 |
re-pack everything into a big bloated tarball. |
55 |
-- |
56 |
Thanks, |
57 |
Zac |