Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-project

From: Rich Freeman <rich0@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Cc: "Michał Górny" <mgorny@g.o>, "Robin H. Johnson" <robbat2@g.o>, Georgy Yakovlev <gyakovlev@g.o>, sam@g.o
Subject: Re: [gentoo-project] Call for agenda items - Council meeting on 2022-02-13
Date: Wed, 09 Feb 2022 23:32:19
Message-Id: CAGfcS_nTGrZ=30q2gaxGWMyG_V6wjHmqbZJ9gXV-_=b9muNTVg@mail.gmail.com
In Reply to: Re: [gentoo-project] Call for agenda items - Council meeting on 2022-02-13 by "Robin H. Johnson"
1 On Wed, Feb 9, 2022 at 6:16 PM Robin H. Johnson <robbat2@g.o> wrote:
2 >
3 > Potential families of solutions as I proposed:
4 > ----------------------------------------------
5 > 1) make 1:1 upstream distfile to gentoo distfile official and accepted
6 > EVEN if a package has tens of thousands of distfiles.
7 > 1.1) Provide a way to share duplicated Manifest entries between packages
8 >
9 > 2) make distfile bundling "official", accepting large growth in mirror usage
10 > 2.1) This would include tooling to make it easy, repeatable, verifiable etc.
11 >
12 > 3) Additional fetch phases, that depend on inputs from src_unpack: this
13 > would run things like ecosystem-specific fetch tooling.
14 > That tooling would be responsible for the steps I mentioned above,
15 > parallel download, verifications, writing to distdir in a way the
16 > ecosystem could use
17
18 I'm not sure I'd recommend it, but another option would be to have an
19 additional layer of manifest/URL references.
20
21 You put foo.ref in your SRC_URI, and it gets manifested as usual.
22 foo.ref is a text file with a list of URLs and hashes, which get
23 fetched and verified. That could be done by calling a function in a
24 new extra fetch phase, or by putting it additionally in some variable
25 that an eclass accepts.
26
27 You could instead put foo.ref in some other variable defined by the
28 EAPI if you want portage to be able to handle it directly in the fetch
29 phase. It would be like a special SRC_URI that gets around length
30 issues and the need to store the manifests in the repo. That would
31 lock down the defined behavior in a secure manner and now there is no
32 extra phase.
33
34 Either way though you still get a bazillion small files hosted
35 somewhere and which need to be fetched, hopefully in an efficient
36 manner. It is secure because everything is hashed and tied to the
37 manifest in the repo, but as a single file.
38
39 --
40 Rich
Report Message
Find on MARC Find on Google Groups