| 1 |
All, |
| 2 |
|
| 3 |
we have digressed a bit, so I want to bring the discussion back to what |
| 4 |
my main concerns are about this issue. |
| 5 |
|
| 6 |
1. Should we bundle Go packages with Go software? |
| 7 |
|
| 8 |
If we do, except for the Go standard library which is part of |
| 9 |
dev-lang/go, do we need to bother with installing Go sources and |
| 10 |
packages at all? |
| 11 |
|
| 12 |
The down side of the whole bundling idea is that every consumer |
| 13 |
on someone's system could potentially have a different version of the |
| 14 |
Go package, which doesn't lend itself well to security concerns. |
| 15 |
|
| 16 |
This is why bundling is generally discouraged in Gentoo. |
| 17 |
|
| 18 |
Also, if we bundle, most of dev-go/* doesn't need to exist because these |
| 19 |
libraries would be bundled into and statically linked into the software |
| 20 |
that needs them. |
| 21 |
|
| 22 |
2. How should we bundle? |
| 23 |
|
| 24 |
This is where my concern about consul and some other ebuilds comes in. |
| 25 |
|
| 26 |
The way the consul ebuild is written (putting the commit hashes of |
| 27 |
dependencies in SRC_URI) assumes that all of the dependencies will stay |
| 28 |
on github. This makes the ebuild far less flexable than go itself is. |
| 29 |
|
| 30 |
If we are going to bundle, I would rather have one tarball that includes |
| 31 |
all of the sources for consul and the dependent libraries dropped on the |
| 32 |
Gentoo mirrors. Such a tarball is very easy to create. |
| 33 |
|
| 34 |
Thoughts? |
| 35 |
|
| 36 |
William |
Archives