1 |
On Wed, Feb 09, 2022 at 10:40:20AM -0600, William Hubbs wrote: |
2 |
|
3 |
*snip* |
4 |
|
5 |
> I hope vendor tarballs are a temporary solution. |
6 |
> The down side of them is duplicate data across vendor tarballs. In other |
7 |
> words, the vendor tarball for cosign could include data that is in other |
8 |
> vendor tarballs and there is no way to prevent that. |
9 |
> |
10 |
> The best solution would be to have a src_fetch_extra phase like I |
11 |
> mentioned earlier in the thread. If I had that ability, the cosign |
12 |
> ebuild would look like this. Note that the src_fetch_extra function |
13 |
> would be in the go-module eclass not the cosign ebuild so the ebuild |
14 |
> would be smaller still. |
15 |
|
16 |
I just realized a down side to this approach, but I don't know how |
17 |
important that down side is. |
18 |
|
19 |
As the example shows, if a package has a vendor directory we would trust |
20 |
it so nothing would need to be done. If we have to run "go mod |
21 |
download", however, this populates the dependency cache from the |
22 |
internet. This means that a package that requires this could not be |
23 |
built if the building machine is not on the net. |
24 |
|
25 |
I don't know how important this is, because it is true for any go |
26 |
package without a vendor directory no matter how you build it. |
27 |
|
28 |
Thoughts? |
29 |
|
30 |
William |