From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 56075138334 for ; Fri, 13 Sep 2019 23:45:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AFCBAE092B; Fri, 13 Sep 2019 23:45:05 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4FB0FE0921 for ; Fri, 13 Sep 2019 23:45:04 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 07B7134AE48 for ; Fri, 13 Sep 2019 23:45:01 +0000 (UTC) Subject: Re: [gentoo-dev] [PATCH 3/3] dev-vcs/hub: migrate to go-module.eclass References: <20190911172128.18885-1-williamh@gentoo.org> <20190911172128.18885-4-williamh@gentoo.org> <20190911234815.GA21591@whubbs1.dev.av1.gaikai.org> <20190912154634.GB23846@whubbs1.dev.av1.gaikai.org> <88094567-323c-6f6a-a1d9-0c1b77ef53e3@gentoo.org> <6acd490e-6393-62e4-5d07-71c2a3624417@gentoo.org> <98f7c838-6562-1214-c883-ec4cdbd45d4e@gentoo.org> <20190913211930.088d5513@katipo2.lan> <74ae34f0-75c5-2416-a09f-9551f18ef321@gentoo.org> <20190913131743.11a1d990@patrickm.gaikai.org> From: Michael Orlitzky To: gentoo-dev@lists.gentoo.org Message-ID: <2b8d7f00-fdf9-e879-5035-cc00b9c2b551@gentoo.org> Date: Fri, 13 Sep 2019 19:44:55 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <20190913131743.11a1d990@patrickm.gaikai.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Archives-Salt: 391582b2-7791-44d1-9690-bbd0e6e4ce45 X-Archives-Hash: 7fae2843502d65cbc5adb17ed3e0ae23 (Replying to both messages at once.) On 9/13/19 4:17 PM, Patrick McLean wrote: >> > I don't think anyone here has suggested that any go packages are > installed in the stage3 tarballs, or included in profiles. Something's > presence in the tree does not mean that you are required to install it. > A package's presence in the tree really has little to zero effect on > any user that does not use the package. If you do not install the > package, it will have zero effect on your banking. This is true only so far as they never become dependencies of anything else. Do all new developers know that dev-go is an insecure ghetto? Do our users? Or might someone accidentally install or depend upon something in dev-go before learning that crucial bit of information? > I also want to point out that the Gentoo packages for Firefox, > Chromium, and Webkit all have a _lot_ of bundled dependencies and > absolutely do static linking internally. If you are using a browser to > do your banking, you are almost certainly using static linking, even > without the presence of code written in golang. Is this is a "two wrongs make a right" argument? I'm telling mom =P > Despite your (and my) objections to it's approach to linking, golang is > a very popular language these days with some very popular packages > written in it. No it's not. It's below Delphi and Object Pascal on TIOBE this month. It's a trend that a tiny percentage of people jumped on because they heard the name "Google" back when Google was cool. The "people want this in Gentoo" argument I understand, but people don't really have it "in Gentoo." They have a thin wrapper around the "go" command. They don't get the Gentoo security guarantees, they don't get the Gentoo license handling, they don't get the ease of management that comes with a Gentoo @world update. They silently get something less than they're expecting. We would be better off telling people to run "go whatever" themselves, or by putting this stuff in an overlay where expectations are clearly defined. > While I personally have opinions about static linking (I basically > completely agree with you that it's a dumb idea). That said, this has > nothing to do with this particular discussion, I suggest you take it up > with the golang upstream. I don't think anyone here is arguing that > static linking is a great idea and everyone should do it. We just have a philosophical difference here. I don't think we should commit admittedly-dumb ideas to ::gentoo. These packages would work fine in an overlay until such a time as someone is interested in doing things correctly. They also work "fine" if you install them with "go" yourself: Portage isn't doing much for you when everything is bundled, statically linked, and has LICENSE set incorrectly. I don't want to keep replying to these threads -- I've said everything that I've got to say, and I'm boring myself, so I can only imagine how you all feel. This will get pushed through anyway, because it always does. It's just demoralizing constantly begging people not to make things worse and being ignored.