| 1 |
On Wed, Feb 09, 2022 at 10:40:20AM -0600, William Hubbs wrote: |
| 2 |
|
| 3 |
*snip* |
| 4 |
|
| 5 |
> I hope vendor tarballs are a temporary solution. |
| 6 |
> The down side of them is duplicate data across vendor tarballs. In other |
| 7 |
> words, the vendor tarball for cosign could include data that is in other |
| 8 |
> vendor tarballs and there is no way to prevent that. |
| 9 |
> |
| 10 |
> The best solution would be to have a src_fetch_extra phase like I |
| 11 |
> mentioned earlier in the thread. If I had that ability, the cosign |
| 12 |
> ebuild would look like this. Note that the src_fetch_extra function |
| 13 |
> would be in the go-module eclass not the cosign ebuild so the ebuild |
| 14 |
> would be smaller still. |
| 15 |
|
| 16 |
I just realized a down side to this approach, but I don't know how |
| 17 |
important that down side is. |
| 18 |
|
| 19 |
As the example shows, if a package has a vendor directory we would trust |
| 20 |
it so nothing would need to be done. If we have to run "go mod |
| 21 |
download", however, this populates the dependency cache from the |
| 22 |
internet. This means that a package that requires this could not be |
| 23 |
built if the building machine is not on the net. |
| 24 |
|
| 25 |
I don't know how important this is, because it is true for any go |
| 26 |
package without a vendor directory no matter how you build it. |
| 27 |
|
| 28 |
Thoughts? |
| 29 |
|
| 30 |
William |
Archives