| 1 |
On Wed, Feb 19, 2020 at 07:36:27AM +0000, Robin H. Johnson wrote: |
| 2 |
> On Tue, Feb 18, 2020 at 11:46:45PM -0600, William Hubbs wrote: |
| 3 |
> > > -# If it does not have a vendor directory, you should use the EGO_VENDOR |
| 4 |
> > > +# Alternatively, older versions of this eclass used the EGO_VENDOR |
| 5 |
> > > # variable and the go-module_vendor_uris function as shown in the |
| 6 |
> > > # example below to handle dependencies. |
| 7 |
> > I think we can remove the example with EGO_VENDOR and |
| 8 |
> > go-module_vendor_uris; we really don't want people to continue following |
| 9 |
> > that example. |
| 10 |
> I tried to handle more cases here, but now I'm wondering if it would be |
| 11 |
> cleaner just to put all of new way into a distinct eclass, and sunset |
| 12 |
> the old eclass entirely. I found unforeseen interactions, see below. |
| 13 |
> |
| 14 |
> > > +# S="${WORKDIR}/${MY_P}" |
| 15 |
> > The default setting of S should be fine for most ebuilds, so I don't |
| 16 |
> > think we need this in the example. |
| 17 |
> I'd copied it, but yes in this case. |
| 18 |
> |
| 19 |
> > |
| 20 |
> > > +# go-module_set_globals |
| 21 |
> > > +# |
| 22 |
> > > +# SRC_URI="https://github.com/example/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz |
| 23 |
> > > +# ${EGO_SUM_SRC_URI}" |
| 24 |
> > > +# |
| 25 |
> > > +# LICENSE="some-license ${EGO_SUM_LICENSES}" |
| 26 |
> > > +# |
| 27 |
> > > +# src_unpack() { |
| 28 |
> > > +# unpack ${P}.tar.gz |
| 29 |
> > > +# go-module_src_unpack |
| 30 |
> > > +# } |
| 31 |
> > I don't think I would put an src_unpack() in the example. |
| 32 |
> This is one of the unforeseen interactions. |
| 33 |
> The go.sum unpack only applies special handling to distfiles that it |
| 34 |
> knows about. It does NOT process any other distfiles at all. |
| 35 |
> |
| 36 |
> EAPI8 or future Portage improvements might have annotations to disable |
| 37 |
> any automatic unpacking for specific distfiles, which would resolve this |
| 38 |
> issue. |
| 39 |
> |
| 40 |
> Hence, you need to explicitly unpack any distfiles that are NOT part of |
| 41 |
> the go.sum dependencies. There are some ebuilds that do unpack & rename |
| 42 |
> in src_unpack already, so they need extra care as well. |
| 43 |
> |
| 44 |
> The EGO_VENDOR src_unpack unpacked EVERYTHING, so it didn't have this |
| 45 |
> issue. |
| 46 |
|
| 47 |
I will look at that in a bit and comment on it. |
| 48 |
|
| 49 |
> |
| 50 |
> > |
| 51 |
> > > +# The extra metadata keys accepted at this time are: |
| 52 |
> > > +# - license: for dependencies built into the final runtime, the value field is |
| 53 |
> > > +# a comma seperated list of Gentoo licenses to apply to the LICENSE variable, |
| 54 |
> > > +# |
| 55 |
> > There are two lines for each module in go.sum, the one with /go.mod as a |
| 56 |
> > suffix to the version and the one without. We do not need both right? |
| 57 |
> This is not entirely correct, and it's the warnings from golang upstream |
| 58 |
> about some hidden complexity in the /go.mod that lead me to list both of |
| 59 |
> them. |
| 60 |
> |
| 61 |
> If we intend to verify the h1: in future, then we need to list all |
| 62 |
> /go.mod entries explicitly, so have somewhere to put the h1: hash. |
| 63 |
> If you're verifying the h1: hash, you must verify it on the |
| 64 |
> {version}.mod ALWAYS, and if the {version}.zip is present, then also on |
| 65 |
> that file (otherwise it could sneak in some evil metadata via the |
| 66 |
> {version}.mod). |
| 67 |
> |
| 68 |
> If we omit h1: entirely, then we can get away with listing ONE line in |
| 69 |
> EGO_SUM for each dependency. |
| 70 |
> - If it contains /go.mod, it will fetch ONLY the {version}.mod file. |
| 71 |
> - If it does not contain /go.mod, it will fetch the {version}.mod file |
| 72 |
> AND the {version}.zip file |
| 73 |
|
| 74 |
If Go itself does that verification during the build, do we need to do |
| 75 |
it also? |
| 76 |
|
| 77 |
> > > +# @EXAMPLE: |
| 78 |
> > > +# # github.com/BurntSushi/toml is a build-time only dep |
| 79 |
> > > +# # github.com/aybabtme/rgbterm is a runtime dep, annotated with licenses |
| 80 |
> > |
| 81 |
> > I'm not sure we can distinguish between buildtime only and runtime deps. |
| 82 |
> The 'golicense' tool will take a Golang binary and print out all of the |
| 83 |
> Golang modules that got linked into it. I consider those to be the |
| 84 |
> runtime deps in this case. |
| 85 |
> |
| 86 |
> > > +# @ECLASS-VARIABLE: _GOMODULE_GOPROXY_BASEURI |
| 87 |
> ... |
| 88 |
> > > +# This variable should NOT be present in user-level configuration e.g. |
| 89 |
> > > +# /etc/portage/make.conf, as it will violate metadata immutability! |
| 90 |
> > > +: "${_GOMODULE_GOPROXY_BASEURI:=mirror://goproxy/}" |
| 91 |
> > |
| 92 |
> > If this isn't supposed to be in user-level configuration, where should |
| 93 |
> > it be set? |
| 94 |
> Maybe I'll just prefix it with 'readonly' and force the value for now. |
| 95 |
> |
| 96 |
> > > # @FUNCTION: go-module_src_unpack |
| 97 |
> > > # @DESCRIPTION: |
| 98 |
> > > +# Extract & configure Go modules for consumpations. |
| 99 |
> > > +# - Modules listed in EGO_SUM are configured as a local GOPROXY via symlinks (fast!) |
| 100 |
> > > +# - Modules listed in EGO_VENDOR are extracted to "${S}/vendor" (slow) |
| 101 |
> > > +# |
| 102 |
> > > +# This function does NOT unpack the base distfile of a Go-based package. |
| 103 |
> > > +# While the entries in EGO_SUM will be listed in ${A}, they should NOT be |
| 104 |
> > > +# unpacked, Go will directly consume the files, including zips. |
| 105 |
> > > +go-module_src_unpack() { |
| 106 |
> > |
| 107 |
> > If possible, this function should unpack the base distfile. That would |
| 108 |
> > keep us from having to write src_unpack for every go ebuild that uses |
| 109 |
> > the eclass. |
| 110 |
> That's fine until we get to multiple base distfiles and handling them. |
| 111 |
> Maybe pass a flag to go-module_src_unpack to tell it not to unpack any |
| 112 |
> distfile that it does not explicitly know about? |
| 113 |
|
| 114 |
Maybe, but again I'll think about this more. |
| 115 |
|
| 116 |
> > > + die "Neither EGO_SUM nor EGO_VENDOR are set!" |
| 117 |
> > This shouldn't die, having neither one set is valid. |
| 118 |
> Yes, I caught this in later testing: a Golang package in the tree that |
| 119 |
> inherit go-module, but didn't use EGO_VENDOR, EGO_SUM or have a vendor |
| 120 |
> directory! This is another reason why I think bumping the eclass to a |
| 121 |
> new name would be safer now. |
| 122 |
|
| 123 |
Which ebuild was that? this is actually an invalid case for go-module. |
| 124 |
A go module requires the presence of go.mod and optionally go.sum (if |
| 125 |
there are no external deps) and optionally vendor/. |
| 126 |
|
| 127 |
If you want an invalid case, you would have to be able to test for |
| 128 |
something like: |
| 129 |
|
| 130 |
[[ ! -f "${S}"/go.mod ]] && die "..." |
| 131 |
|
| 132 |
> |
| 133 |
> > > +_go-module_src_unpack_vendor() { |
| 134 |
> > > + # shellcheck disable=SC2120 |
| 135 |
> > > + debug-print-function "${FUNCNAME}" "$@" |
| 136 |
> > Maybe add an eqawarn here that EGO_VENDOR is deprecated to encourage |
| 137 |
> > people to migrate their ebuilds. |
| 138 |
> Omitting this based on my feelings about a new eclass now. |
| 139 |
|
| 140 |
I'm still not convinced we need a whole new eclass. |
| 141 |
|
| 142 |
William |
Archives