Re: [gentoo-dev] [PATCH 3/3] dev-vcs/hub: migrate to go-module.eclass

[Patrick McLean <chutzpah@gentoo.org>]

On Fri, 13 Sep 2019 19:44:55 -0400
Michael Orlitzky <mjo@gentoo.org> wrote:

> (Replying to both messages at once.)
> 
> 
> On 9/13/19 4:17 PM, Patrick McLean wrote:
> >>  
> > I don't think anyone here has suggested that any go packages are
> > installed in the stage3 tarballs, or included in profiles.
> > Something's presence in the tree does not mean that you are
> > required to install it. A package's presence in the tree really has
> > little to zero effect on any user that does not use the package. If
> > you do not install the package, it will have zero effect on your
> > banking.  
> 
> This is true only so far as they never become dependencies of anything
> else. Do all new developers know that dev-go is an insecure ghetto? Do
> our users? Or might someone accidentally install or depend upon
> something in dev-go before learning that crucial bit of information?

A suggestion was made on IRC to have a pkg_postinst in the eclass that
warn about golang package dependencies not having the same level of
Gentoo security coverage that other packages in the tree have due to
static linking. I think this is a reasonable approach, and users and
developers will know. There is precedent for this, see
sys-kernel/vanilla-sources

> > I also want to point out that the Gentoo packages for Firefox,
> > Chromium, and Webkit all have a _lot_ of bundled dependencies and
> > absolutely do static linking internally. If you are using a browser
> > to do your banking, you are almost certainly using static linking,
> > even without the presence of code written in golang.  
> 
> Is this is a "two wrongs make a right" argument? I'm telling mom =P

I am pointing out that we can't ban all static linking in the tree,
many upstream packages won't work without it (or significant effort
that no one has the time or motivation for).

> > Despite your (and my) objections to it's approach to linking,
> > golang is a very popular language these days with some very popular
> > packages written in it.  
> 
> No it's not. It's below Delphi and Object Pascal on TIOBE this month.
> It's a trend that a tiny percentage of people jumped on because they
> heard the name "Google" back when Google was cool.

Random stats from a website are not really an indication of how much a
language is being used. There are plenty of very popular packages that
are written in golang.

> The "people want this in Gentoo" argument I understand, but people
> don't really have it "in Gentoo." They have a thin wrapper around the
> "go" command. They don't get the Gentoo security guarantees, they
> don't get the Gentoo license handling, they don't get the ease of
> management that comes with a Gentoo @world update. They silently get
> something less than they're expecting. We would be better off telling
> people to run "go whatever" themselves, or by putting this stuff in
> an overlay where expectations are clearly defined.

Users and Gentoo developers want Docker and Kubernetes (to name a
couple) in the main tree. These are written in golang. I don't think we
should ban packages because of the language they are written in.
Especially if there are developers who want to maintain them.

They do get the ease of management of @world in that if the upstream
package releases a new version, it will be pulled in via an @world
update. That is quite a large advantage to users, and is worth doing if
there are developers willing to maintain the packages in the tree.

> 
> > While I personally have opinions about static linking (I basically
> > completely agree with you that it's a dumb idea). That said, this
> > has nothing to do with this particular discussion, I suggest you
> > take it up with the golang upstream. I don't think anyone here is
> > arguing that static linking is a great idea and everyone should do
> > it.  
> 
> We just have a philosophical difference here. I don't think we should
> commit admittedly-dumb ideas to ::gentoo. These packages would work
> fine in an overlay until such a time as someone is interested in
> doing things correctly. They also work "fine" if you install them
> with "go" yourself: Portage isn't doing much for you when everything
> is bundled, statically linked, and has LICENSE set incorrectly.

When "doing things correctly" means basically forking the entire
ecosystem and maintaining all the forks internally, that is not
something that is ever going to happen. There is demand from users and
developers for golang packages.

It's the same reason why we don't unbundle everything in Firefox and
Chromium, it's simply too much work. It basically means maintaining our
own fork of the package. That also means security updates will take
significantly longer, as the fork will need to be rebased on the new
upstream version.

> I don't want to keep replying to these threads -- I've said everything
> that I've got to say, and I'm boring myself, so I can only imagine how
> you all feel. This will get pushed through anyway, because it always
> does. It's just demoralizing constantly begging people not to make
> things worse and being ignored.

Then don't, golang and packages written in it are going to stay in the
tree and new golang packages are going to be added. This entire
thread has been about how we are going to support a newer packaging
style upstream adopted.

I encourage you to package.mask dev-lang/go, and carefully inspect any
-bin packages you install to make sure you don't install anything
written in golang on your machine.