From: Hank Leininger <hlein@korelogic.com>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] EGO_SUM (was: [gentoo-project] Gentoo Council Election 202306 ... Nominations Open
Date: Thu, 6 Jul 2023 13:46:34 -0600 [thread overview]
Message-ID: <20230706134201.6e121cfe-5135-42c1-ba72-21db6bdb620d@korelogic.com> (raw)
In-Reply-To: <20230706060918.GA10569@tachikoma>
[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]
On Thu, Jul 6, 2023 Zoltan Puskas wrote:
> I've been following the EGO_SUM thread for quite some time now. One
> other thing I did not see mentioned in favour of EGO_SUM so far:
> reproducibility.
> The problem with external tarballs is that they are gone once the
> ebuild is dropped from the tree. Should a user ever want to roll back
> to a previous version of an application, either by checking out on
> older version of the portage tree or copying said ebuild into their
> local overlay, they still cannot simply run an emerge on the it as
> they have to somehow recreate the tarball itself too.
> While upstream may not host everything forever, it's pretty much
> guaranteed to be available for much longer than Gentoo's custom
> tarball bundles of dependencies.
I see this brought up every once in a while in these EGO_SUM threads,
but I think reproducable tarballs are a solved problem, or at least, the
tools exist and we just need to decide how to best equip people with
them.
thesamesam/sam-gentoo-scripts has maint/bump-go which builds these
tarballs smartly and reproducably:
- use --sort=name to order files inside in a consistent way
- use consistent owner:group (portage:portage)
- use consistent LC and TZ settings
- set a standard timestamp (since 'go mod download' doesn't preserve
upstream timestamps anyway, this loses no useful information)
With that, multiple developers can independently generate a -deps
tarball for a given Go package version with checksums that match. The
main distro tarball's checksums are verified against Manifest, and then
within it are the list and checksums of the individual downloads which
would be verified by go mod download (right?) and the resulting -deps
files should also match Manifest entries.
So a similar approach could be used in the case of expired ::gentoo
versions being installed, or overlays using -deps files without a way to
host them. Set things up so this can be done easily on demand or perhaps
automatically as needed (maybe through a variation on pkg_nofetch in a
Go eclass; that part is not obvious to me).
Thanks,
--
Hank Leininger <hlein@korelogic.com>
9606 3BF9 B593 4CBC E31A A384 6200 F6E3 781E 3DD7
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-07-06 19:46 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2ZKWN4KF.MKEFFMWE.LGPKYP47@RTL7EJXF.RN4PF6UF.MDFBGF3C>
[not found] ` <be450641-94ff-a0d9-51da-3a7a3abcc6c7@gentoo.org>
[not found] ` <b7309a3f-2980-b390-a16a-0518cce1da75@gentoo.org>
[not found] ` <87y1k33aoy.fsf@gentoo.org>
2023-06-30 8:15 ` [gentoo-dev] EGO_SUM (was: [gentoo-project] Gentoo Council Election 202306 ... Nominations Open in Just Over 24 Hours.) Florian Schmaus
2023-06-30 8:22 ` Sam James
2023-06-30 9:38 ` Tim Harder
2023-06-30 11:33 ` Eray Aslan
2023-07-03 10:17 ` Florian Schmaus
2023-07-04 7:13 ` Tim Harder
2023-07-04 10:44 ` Gerion Entrup
2023-07-04 21:56 ` Robin H. Johnson
2023-07-04 23:09 ` Oskari Pirhonen
2023-07-05 18:40 ` Gerion Entrup
2023-07-05 19:32 ` Rich Freeman
2023-07-06 2:48 ` Oskari Pirhonen
2023-07-06 6:09 ` Zoltan Puskas
2023-07-06 19:46 ` Hank Leininger [this message]
2023-07-08 20:49 ` Sam James
2023-07-03 10:17 ` Florian Schmaus
2023-07-03 11:12 ` [gentoo-dev] EGO_SUM Ulrich Mueller
2023-07-08 21:21 ` [gentoo-dev] EGO_SUM (was: [gentoo-project] Gentoo Council Election 202306 ... Nominations Open in Just Over 24 Hours.) Sam James
[not found] ` <cdf5ddb7-8f65-74cf-5594-3e3eec86c915@gentoo.org>
[not found] ` <1913d3c2-5f54-acea-0ed3-930371ea1884@gentoo.org>
[not found] ` <CAAr7Pr9+zq2NV=7zhj5e+4LWOmNavCrfMstNTqkthk5uxQVNtg@mail.gmail.com>
2023-07-14 7:14 ` [gentoo-dev] Re: Flow's Manifesto and questions for nominees (was: " Florian Schmaus
2023-07-14 7:33 ` Sam James
2023-07-14 8:19 ` Sam James
2023-07-14 9:07 ` Florian Schmaus
2023-07-14 8:39 ` [gentoo-dev] Re: Flow's Manifesto and questions for nominees Ulrich Mueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230706134201.6e121cfe-5135-42c1-ba72-21db6bdb620d@korelogic.com \
--to=hlein@korelogic.com \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox