1 |
On Tue, Feb 18, 2020 at 11:46:45PM -0600, William Hubbs wrote: |
2 |
> > -# If it does not have a vendor directory, you should use the EGO_VENDOR |
3 |
> > +# Alternatively, older versions of this eclass used the EGO_VENDOR |
4 |
> > # variable and the go-module_vendor_uris function as shown in the |
5 |
> > # example below to handle dependencies. |
6 |
> I think we can remove the example with EGO_VENDOR and |
7 |
> go-module_vendor_uris; we really don't want people to continue following |
8 |
> that example. |
9 |
I tried to handle more cases here, but now I'm wondering if it would be |
10 |
cleaner just to put all of new way into a distinct eclass, and sunset |
11 |
the old eclass entirely. I found unforeseen interactions, see below. |
12 |
|
13 |
> > +# S="${WORKDIR}/${MY_P}" |
14 |
> The default setting of S should be fine for most ebuilds, so I don't |
15 |
> think we need this in the example. |
16 |
I'd copied it, but yes in this case. |
17 |
|
18 |
> |
19 |
> > +# go-module_set_globals |
20 |
> > +# |
21 |
> > +# SRC_URI="https://github.com/example/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz |
22 |
> > +# ${EGO_SUM_SRC_URI}" |
23 |
> > +# |
24 |
> > +# LICENSE="some-license ${EGO_SUM_LICENSES}" |
25 |
> > +# |
26 |
> > +# src_unpack() { |
27 |
> > +# unpack ${P}.tar.gz |
28 |
> > +# go-module_src_unpack |
29 |
> > +# } |
30 |
> I don't think I would put an src_unpack() in the example. |
31 |
This is one of the unforeseen interactions. |
32 |
The go.sum unpack only applies special handling to distfiles that it |
33 |
knows about. It does NOT process any other distfiles at all. |
34 |
|
35 |
EAPI8 or future Portage improvements might have annotations to disable |
36 |
any automatic unpacking for specific distfiles, which would resolve this |
37 |
issue. |
38 |
|
39 |
Hence, you need to explicitly unpack any distfiles that are NOT part of |
40 |
the go.sum dependencies. There are some ebuilds that do unpack & rename |
41 |
in src_unpack already, so they need extra care as well. |
42 |
|
43 |
The EGO_VENDOR src_unpack unpacked EVERYTHING, so it didn't have this |
44 |
issue. |
45 |
|
46 |
> |
47 |
> > +# The extra metadata keys accepted at this time are: |
48 |
> > +# - license: for dependencies built into the final runtime, the value field is |
49 |
> > +# a comma seperated list of Gentoo licenses to apply to the LICENSE variable, |
50 |
> > +# |
51 |
> There are two lines for each module in go.sum, the one with /go.mod as a |
52 |
> suffix to the version and the one without. We do not need both right? |
53 |
This is not entirely correct, and it's the warnings from golang upstream |
54 |
about some hidden complexity in the /go.mod that lead me to list both of |
55 |
them. |
56 |
|
57 |
If we intend to verify the h1: in future, then we need to list all |
58 |
/go.mod entries explicitly, so have somewhere to put the h1: hash. |
59 |
If you're verifying the h1: hash, you must verify it on the |
60 |
{version}.mod ALWAYS, and if the {version}.zip is present, then also on |
61 |
that file (otherwise it could sneak in some evil metadata via the |
62 |
{version}.mod). |
63 |
|
64 |
If we omit h1: entirely, then we can get away with listing ONE line in |
65 |
EGO_SUM for each dependency. |
66 |
- If it contains /go.mod, it will fetch ONLY the {version}.mod file. |
67 |
- If it does not contain /go.mod, it will fetch the {version}.mod file |
68 |
AND the {version}.zip file |
69 |
|
70 |
> > +# @EXAMPLE: |
71 |
> > +# # github.com/BurntSushi/toml is a build-time only dep |
72 |
> > +# # github.com/aybabtme/rgbterm is a runtime dep, annotated with licenses |
73 |
> |
74 |
> I'm not sure we can distinguish between buildtime only and runtime deps. |
75 |
The 'golicense' tool will take a Golang binary and print out all of the |
76 |
Golang modules that got linked into it. I consider those to be the |
77 |
runtime deps in this case. |
78 |
|
79 |
> > +# @ECLASS-VARIABLE: _GOMODULE_GOPROXY_BASEURI |
80 |
... |
81 |
> > +# This variable should NOT be present in user-level configuration e.g. |
82 |
> > +# /etc/portage/make.conf, as it will violate metadata immutability! |
83 |
> > +: "${_GOMODULE_GOPROXY_BASEURI:=mirror://goproxy/}" |
84 |
> |
85 |
> If this isn't supposed to be in user-level configuration, where should |
86 |
> it be set? |
87 |
Maybe I'll just prefix it with 'readonly' and force the value for now. |
88 |
|
89 |
> > # @FUNCTION: go-module_src_unpack |
90 |
> > # @DESCRIPTION: |
91 |
> > +# Extract & configure Go modules for consumpations. |
92 |
> > +# - Modules listed in EGO_SUM are configured as a local GOPROXY via symlinks (fast!) |
93 |
> > +# - Modules listed in EGO_VENDOR are extracted to "${S}/vendor" (slow) |
94 |
> > +# |
95 |
> > +# This function does NOT unpack the base distfile of a Go-based package. |
96 |
> > +# While the entries in EGO_SUM will be listed in ${A}, they should NOT be |
97 |
> > +# unpacked, Go will directly consume the files, including zips. |
98 |
> > +go-module_src_unpack() { |
99 |
> |
100 |
> If possible, this function should unpack the base distfile. That would |
101 |
> keep us from having to write src_unpack for every go ebuild that uses |
102 |
> the eclass. |
103 |
That's fine until we get to multiple base distfiles and handling them. |
104 |
Maybe pass a flag to go-module_src_unpack to tell it not to unpack any |
105 |
distfile that it does not explicitly know about? |
106 |
|
107 |
> > + die "Neither EGO_SUM nor EGO_VENDOR are set!" |
108 |
> This shouldn't die, having neither one set is valid. |
109 |
Yes, I caught this in later testing: a Golang package in the tree that |
110 |
inherit go-module, but didn't use EGO_VENDOR, EGO_SUM or have a vendor |
111 |
directory! This is another reason why I think bumping the eclass to a |
112 |
new name would be safer now. |
113 |
|
114 |
> > +_go-module_src_unpack_vendor() { |
115 |
> > + # shellcheck disable=SC2120 |
116 |
> > + debug-print-function "${FUNCNAME}" "$@" |
117 |
> Maybe add an eqawarn here that EGO_VENDOR is deprecated to encourage |
118 |
> people to migrate their ebuilds. |
119 |
Omitting this based on my feelings about a new eclass now. |
120 |
|
121 |
>> ... |
122 |
> If EGO_SUM is up to date, this could also mean that upstream forgot to |
123 |
> run go mod tidy and commit the go.mod/go.sum before the release, so it |
124 |
> could be a bug that needs to be reported. |
125 |
Yes. I found at least one package where the upstream had failed to run |
126 |
go mod tidy in the release: I already reported it, and they say they |
127 |
will include it in the next release, not doing a release just for it. |
128 |
|
129 |
-- |
130 |
Robin Hugh Johnson |
131 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
132 |
E-Mail : robbat2@g.o |
133 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
134 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |