Gentoo Archives: gentoo-dev

From: "Arsen Arsenović" <arsen@××××××.me>
To: gentoo-dev@l.g.o
Cc: William Hubbs <williamh@g.o>, Florian Schmaus <flow@g.o>
Subject: Re: [gentoo-dev] Proposal to undeprecate EGO_SUM
Date: Tue, 14 Jun 2022 17:34:59
Message-Id: 3404255.uGPaa05TMh@bstg
In Reply to: [gentoo-dev] Proposal to undeprecate EGO_SUM by Florian Schmaus
1 (replying to the first post here as I believe this post is relevant to
2 most, if not all, subthreads)
4 I've prepared a PoC of an automated solution for vendoring[1] a while
5 back (around the start of this whole discussion) that would place trust
6 on the infrastructure (though potentially verifiable).
8 My concept provides two solutions:
9 1) go mod vendor - not verifiable by users (as vendor tars don't include
10 enough information for checksumming - see also [2])
11 2) modcache - significantly larger but verifiable on the client (against
12 existing go.sum). These archives really go up to gigabytes in size as
13 opposed to a few megs of vendored tarballs.
15 Please note that [1] is on a small server, possibly broken, pretty slow,
16 and not fit for production yet. Ping me on IRC if you encounter issues
17 so that I can "unjam" it.
19 Also note that this thing doesn't attempt much to figure out how to
20 convert a ${PV} or any other format versions, and essentially leaves
21 that up to the GOPROXY (with very little extra work, see: [3]).
23 The proposed solution here is that the developer passes something like
24${PV} -> vendor.tar into $SRC_URI,
25 which would get initiated with a call to ``pkgdev manifest'' or such
26 (possibly authenticated via IP or keys or something, to prevent abuse),
27 and be done with it.
29 The biggest downside I've seen so far (excluding further developing the
30 solution) is that some Go programs don't respect the restrictions of the
31 Go module system, and thus fail to fetch.
33 [1]:
34 [2]:
35 [3]:
37 --
38 Arsen Arsenović


File name MIME type
signature.asc application/pgp-signature