| 1 |
On Thu, Sep 12, 2019 at 9:14 AM Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
|
| 3 |
> On 9/12/19 11:46 AM, William Hubbs wrote: |
| 4 |
> > |
| 5 |
> > In other words, the way I see this is a tree-wide issue. LICENSE= for |
| 6 |
> > any package should list every license for every package it links to or |
| 7 |
> > uses. |
| 8 |
> > |
| 9 |
> There is no issue tree-wide, because no one else is trying to cut |
| 10 |
> corners and bundle every dependency of every package. All of our |
| 11 |
> dependencies are in separate packages, with separate LICENSE variables. |
| 12 |
> So when you install one package, the LICENSE variables of all its |
| 13 |
> dependencies pulled in by the package manager are indeed taken into |
| 14 |
> account. That's the whole point of a package manager -- it can do these |
| 15 |
> things for you if the developers do their jobs and package software |
| 16 |
> correctly. |
| 17 |
> |
| 18 |
|
| 19 |
I'm not really keen on this language ("cutting corners"). Newer languages |
| 20 |
are not C, they don't act like C, build like C or do many other things like |
| 21 |
C[0]. That presents engineering challenges to Gentoo; because the standard |
| 22 |
way of doing stuff doesn't work. I nominally see two avenues here: |
| 23 |
|
| 24 |
(1) go ebuilds with modules put the modules in DEPEND, every module is a |
| 25 |
package, we have some kind of tooling to essentially handle the creation of |
| 26 |
these packages (and by package I mean some kind of Gentoo compatible |
| 27 |
package, including the tarballs, checksums, LICENSE, and so forth.) Then |
| 28 |
during src_prepare() we essentially do the work necessary to place these |
| 29 |
package sources in the right place (e.g. wherever the module system expects |
| 30 |
them.) |
| 31 |
|
| 32 |
(2) Is Williamh's current implementation, developers themselves run go mod, |
| 33 |
get all the modules, package them up, and distribute them. The tooling for |
| 34 |
this should handle LICENSE. |
| 35 |
|
| 36 |
One immediate problem I see with (1) is that these modules often don't have |
| 37 |
releases like traditional packages do, so you end up with a dependency on |
| 38 |
(somemodulename, <SHA1HASH>). This then leads to a version explosion as |
| 39 |
every go package (N) depends on a different SHA1HASH of module M; it ends |
| 40 |
up being a bit of a hot mess. This may cause some complexities (it bloats |
| 41 |
the depgraph for one) and so William's approach simplifies the problem. |
| 42 |
|
| 43 |
In general I don't see bundling as a major problem. In the land of dynamic |
| 44 |
binaries, it's a big advantage because you can upgrade libfoo and all |
| 45 |
consumers of libfoo get the upgrade upon process restart. This isn't true |
| 46 |
for most go programs which are statically linked; so you end up asking |
| 47 |
yourself "why should I make a package for every go module?" One obvious |
| 48 |
answer is that portage then tracks what packages are consuming a given |
| 49 |
module and you can plausibly write a tool that does things like "moduleX |
| 50 |
has a security update, please recompile all packages that DEPEND on |
| 51 |
moduleX" which seems like a tool people would want. |
| 52 |
|
| 53 |
[0] I feel like this is a common idea in Gentoo throughout. Anything new is |
| 54 |
bad. Anything that violates norms is bad. Anything that violates the model |
| 55 |
we have been using for 20 years is bad. I wish people were more open to |
| 56 |
have a discussion without crapping on new ideas quite so thoroughly. |
| 57 |
|
| 58 |
-A |
Archives