From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 03D6615800D for ; Thu, 6 Jul 2023 19:46:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2C435E0821; Thu, 6 Jul 2023 19:46:37 +0000 (UTC) Received: from mail.korelogic.com (mail.korelogic.com [205.134.174.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EE4A0E0817 for ; Thu, 6 Jul 2023 19:46:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.korelogic.com with ESMTPSA id 80B731EE010F for DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=korelogic.com; s=mail; t=1688672796; bh=ZTQKXhvQc73ifdcAuesIdDAYytJMyU8ta2unprfqq1A=; h=Date:From:To:Subject:Reply-To:In-Reply-To; b=LJdnzqhZPc75n170cqG+9T4kgNMkl2KpxWIJvOj6BLhakUblboV/OptLF0UPW+Yt/ mGIbcTSygFs9rvCe7Ds0ryEOyRG0rSYn/Htth5w6+59RGoYuHPhuOIip+5YOU9WU8Y Lw0bHzLlq9pza8nr0vqezmqF5RpwF11KwPZvrNyE= X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.8 at mail.korelogic.com Date: Thu, 6 Jul 2023 13:46:34 -0600 From: Hank Leininger To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] EGO_SUM (was: [gentoo-project] Gentoo Council Election 202306 ... Nominations Open Message-ID: <20230706134201.6e121cfe-5135-42c1-ba72-21db6bdb620d@korelogic.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="EJT4n/UaKvEjIiip" Content-Disposition: inline In-Reply-To: <20230706060918.GA10569@tachikoma> X-Archives-Salt: 144a20f9-f479-430f-b90c-d1ce244f0bf4 X-Archives-Hash: 010da50e1ce57f86239a42ed04984d07 --EJT4n/UaKvEjIiip Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 6, 2023 Zoltan Puskas wrote: > I've been following the EGO_SUM thread for quite some time now. One > other thing I did not see mentioned in favour of EGO_SUM so far: > reproducibility. > The problem with external tarballs is that they are gone once the > ebuild is dropped from the tree. Should a user ever want to roll back > to a previous version of an application, either by checking out on > older version of the portage tree or copying said ebuild into their > local overlay, they still cannot simply run an emerge on the it as > they have to somehow recreate the tarball itself too. > While upstream may not host everything forever, it's pretty much > guaranteed to be available for much longer than Gentoo's custom > tarball bundles of dependencies. I see this brought up every once in a while in these EGO_SUM threads, but I think reproducable tarballs are a solved problem, or at least, the tools exist and we just need to decide how to best equip people with them. thesamesam/sam-gentoo-scripts has maint/bump-go which builds these tarballs smartly and reproducably: - use --sort=3Dname to order files inside in a consistent way - use consistent owner:group (portage:portage) - use consistent LC and TZ settings - set a standard timestamp (since 'go mod download' doesn't preserve upstream timestamps anyway, this loses no useful information) With that, multiple developers can independently generate a -deps tarball for a given Go package version with checksums that match. The main distro tarball's checksums are verified against Manifest, and then within it are the list and checksums of the individual downloads which would be verified by go mod download (right?) and the resulting -deps files should also match Manifest entries. So a similar approach could be used in the case of expired ::gentoo versions being installed, or overlays using -deps files without a way to host them. Set things up so this can be done easily on demand or perhaps automatically as needed (maybe through a variation on pkg_nofetch in a Go eclass; that part is not obvious to me).=20 Thanks, --=20 Hank Leininger 9606 3BF9 B593 4CBC E31A A384 6200 F6E3 781E 3DD7 --EJT4n/UaKvEjIiip Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEElgY7+bWTTLzjGqOEYgD243gePdcFAmSnGhoACgkQYgD243ge PdeHyA/9GHp3SRJrDg5nwpBjTF2ixYueHmFTjh3i3RVLvdVMBxKySZR/hcW1jzfo GyxIBn5o+k5V2bSaft+hngMlxrqGgi8n9zGIfJlOonRo7727GFCScfL/f0V1MirC CTqEL73LuWv7p5igL9nsvn/a51Uz5YrJxJBe6nR3faP4MPI6wpE6zOkJ/bF/726k htq52oJm7bdiSs66CaQq+hZ8PQ45shLwieHFK7vZqqh/C7olrR2zMQaR+ZxUQZbu OL9NF9S1oqC3u1d2ONw23qGv7hBeDaBCYOWBjMElZu2SpIgkxRSdk41zPWM8yKqK agMXpNIQZrRBDV9MXMDslXepOe+na6eHQvCMGoO1e5u7NjwS+tASzFBbh3rN/TFQ AvcWO1iRJnQkaPVXD1kimYAUPT0O3IhY3C78smh9v+plWc2cQzzbMIYHj1UhRCIz God70EEv5/U1S0YroHV+3qHAbIG88Y5QdgcbTLg5DKyIxieVJwxSw9bKYls5yVFf X5f6sb+4I9laseM9AdCgb8Wj5NoXHf+8pdXyDAm5OoJYyXK0xzSQ9pm6UySc42ou WevpjDpFft4m+sgz4FEPCM+cllT9g5tOjDkIHD1Dei+6PBlwl3SxUMeBWuoScJoK dqzCjbb2Ku8jvsHErOcMdDNz7i7wWn9slO4MU4irOAYhEUHXtNQ= =LBf+ -----END PGP SIGNATURE----- --EJT4n/UaKvEjIiip--