1 |
On Thu, Sep 12, 2019 at 9:14 AM Michael Orlitzky <mjo@g.o> wrote: |
2 |
|
3 |
> On 9/12/19 11:46 AM, William Hubbs wrote: |
4 |
> > |
5 |
> > In other words, the way I see this is a tree-wide issue. LICENSE= for |
6 |
> > any package should list every license for every package it links to or |
7 |
> > uses. |
8 |
> > |
9 |
> There is no issue tree-wide, because no one else is trying to cut |
10 |
> corners and bundle every dependency of every package. All of our |
11 |
> dependencies are in separate packages, with separate LICENSE variables. |
12 |
> So when you install one package, the LICENSE variables of all its |
13 |
> dependencies pulled in by the package manager are indeed taken into |
14 |
> account. That's the whole point of a package manager -- it can do these |
15 |
> things for you if the developers do their jobs and package software |
16 |
> correctly. |
17 |
> |
18 |
|
19 |
I'm not really keen on this language ("cutting corners"). Newer languages |
20 |
are not C, they don't act like C, build like C or do many other things like |
21 |
C[0]. That presents engineering challenges to Gentoo; because the standard |
22 |
way of doing stuff doesn't work. I nominally see two avenues here: |
23 |
|
24 |
(1) go ebuilds with modules put the modules in DEPEND, every module is a |
25 |
package, we have some kind of tooling to essentially handle the creation of |
26 |
these packages (and by package I mean some kind of Gentoo compatible |
27 |
package, including the tarballs, checksums, LICENSE, and so forth.) Then |
28 |
during src_prepare() we essentially do the work necessary to place these |
29 |
package sources in the right place (e.g. wherever the module system expects |
30 |
them.) |
31 |
|
32 |
(2) Is Williamh's current implementation, developers themselves run go mod, |
33 |
get all the modules, package them up, and distribute them. The tooling for |
34 |
this should handle LICENSE. |
35 |
|
36 |
One immediate problem I see with (1) is that these modules often don't have |
37 |
releases like traditional packages do, so you end up with a dependency on |
38 |
(somemodulename, <SHA1HASH>). This then leads to a version explosion as |
39 |
every go package (N) depends on a different SHA1HASH of module M; it ends |
40 |
up being a bit of a hot mess. This may cause some complexities (it bloats |
41 |
the depgraph for one) and so William's approach simplifies the problem. |
42 |
|
43 |
In general I don't see bundling as a major problem. In the land of dynamic |
44 |
binaries, it's a big advantage because you can upgrade libfoo and all |
45 |
consumers of libfoo get the upgrade upon process restart. This isn't true |
46 |
for most go programs which are statically linked; so you end up asking |
47 |
yourself "why should I make a package for every go module?" One obvious |
48 |
answer is that portage then tracks what packages are consuming a given |
49 |
module and you can plausibly write a tool that does things like "moduleX |
50 |
has a security update, please recompile all packages that DEPEND on |
51 |
moduleX" which seems like a tool people would want. |
52 |
|
53 |
[0] I feel like this is a common idea in Gentoo throughout. Anything new is |
54 |
bad. Anything that violates norms is bad. Anything that violates the model |
55 |
we have been using for 20 years is bad. I wish people were more open to |
56 |
have a discussion without crapping on new ideas quite so thoroughly. |
57 |
|
58 |
-A |