1 |
All, |
2 |
|
3 |
we have digressed a bit, so I want to bring the discussion back to what |
4 |
my main concerns are about this issue. |
5 |
|
6 |
1. Should we bundle Go packages with Go software? |
7 |
|
8 |
If we do, except for the Go standard library which is part of |
9 |
dev-lang/go, do we need to bother with installing Go sources and |
10 |
packages at all? |
11 |
|
12 |
The down side of the whole bundling idea is that every consumer |
13 |
on someone's system could potentially have a different version of the |
14 |
Go package, which doesn't lend itself well to security concerns. |
15 |
|
16 |
This is why bundling is generally discouraged in Gentoo. |
17 |
|
18 |
Also, if we bundle, most of dev-go/* doesn't need to exist because these |
19 |
libraries would be bundled into and statically linked into the software |
20 |
that needs them. |
21 |
|
22 |
2. How should we bundle? |
23 |
|
24 |
This is where my concern about consul and some other ebuilds comes in. |
25 |
|
26 |
The way the consul ebuild is written (putting the commit hashes of |
27 |
dependencies in SRC_URI) assumes that all of the dependencies will stay |
28 |
on github. This makes the ebuild far less flexable than go itself is. |
29 |
|
30 |
If we are going to bundle, I would rather have one tarball that includes |
31 |
all of the sources for consul and the dependent libraries dropped on the |
32 |
Gentoo mirrors. Such a tarball is very easy to create. |
33 |
|
34 |
Thoughts? |
35 |
|
36 |
William |