From: "Arsen Arsenović" <arsen@aarsen.me>
To: gentoo-dev@lists.gentoo.org
Cc: William Hubbs <williamh@gentoo.org>, Florian Schmaus <flow@gentoo.org>
Subject: Re: [gentoo-dev] Proposal to undeprecate EGO_SUM
Date: Tue, 14 Jun 2022 19:34:47 +0200 [thread overview]
Message-ID: <3404255.uGPaa05TMh@bstg> (raw)
In-Reply-To: <20220613074411.341909-1-flow@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 1787 bytes --]
(replying to the first post here as I believe this post is relevant to
most, if not all, subthreads)
I've prepared a PoC of an automated solution for vendoring[1] a while
back (around the start of this whole discussion) that would place trust
on the infrastructure (though potentially verifiable).
My concept provides two solutions:
1) go mod vendor - not verifiable by users (as vendor tars don't include
enough information for checksumming - see also [2])
2) modcache - significantly larger but verifiable on the client (against
existing go.sum). These archives really go up to gigabytes in size as
opposed to a few megs of vendored tarballs.
Please note that [1] is on a small server, possibly broken, pretty slow,
and not fit for production yet. Ping me on IRC if you encounter issues
so that I can "unjam" it.
Also note that this thing doesn't attempt much to figure out how to
convert a ${PV} or any other format versions, and essentially leaves
that up to the GOPROXY (with very little extra work, see: [3]).
The proposed solution here is that the developer passes something like
https://go.gentoo.org/vendor/...@${PV} -> vendor.tar into $SRC_URI,
which would get initiated with a call to ``pkgdev manifest'' or such
(possibly authenticated via IP or keys or something, to prevent abuse),
and be done with it.
The biggest downside I've seen so far (excluding further developing the
solution) is that some Go programs don't respect the restrictions of the
Go module system, and thus fail to fetch.
[1]: https://vengor.aarsen.me/
[2]: https://github.com/golang/go/issues/27348
[3]: https://git.sr.ht/~arsen/vengor/tree/ab1ae7b275ab492d4806de88cfbf67e7b97c1ade/item/vengor/__init__.py#L101-127
--
Arsen Arsenović
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 358 bytes --]
next prev parent reply other threads:[~2022-06-14 17:34 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 7:44 [gentoo-dev] Proposal to undeprecate EGO_SUM Florian Schmaus
2022-06-13 7:44 ` [gentoo-dev] [PATCH] go-module.eclass: " Florian Schmaus
2022-06-13 9:49 ` Andrew Ammerlaan
2022-06-13 10:25 ` Florian Schmaus
2022-06-17 15:53 ` William Hubbs
2022-06-13 8:29 ` [gentoo-dev] Proposal to " Michał Górny
2022-06-13 8:49 ` Ulrich Mueller
2022-06-13 9:34 ` Florian Schmaus
2022-06-13 10:26 ` Ulrich Mueller
2022-06-17 16:27 ` William Hubbs
2022-10-12 13:01 ` Florian Schmaus
2022-06-13 9:30 ` Florian Schmaus
2022-06-13 11:03 ` Michał Górny
2022-06-14 9:37 ` Michał Górny
2022-06-14 10:29 ` Florian Schmaus
2022-06-14 16:33 ` [gentoo-dev] " Holger Hoffstätte
2022-06-14 17:03 ` Florian Schmaus
2022-06-15 5:53 ` Michał Górny
2022-06-17 19:04 ` Michał Górny
2022-06-14 17:34 ` Arsen Arsenović [this message]
2022-06-26 23:43 ` [gentoo-dev] " Zoltan Puskas
2022-06-27 6:09 ` Oskari Pirhonen
2022-06-27 7:14 ` Zoltan Puskas
2022-07-15 21:34 ` William Hubbs
2022-07-16 11:24 ` Florian Schmaus
2022-07-16 11:58 ` Joonas Niilola
2022-07-16 17:51 ` William Hubbs
2022-07-16 18:31 ` Arthur Zamarin
2022-07-16 18:46 ` Robin H. Johnson
2022-07-16 19:35 ` William Hubbs
2022-07-16 20:20 ` Ulrich Mueller
2022-07-17 1:37 ` William Hubbs
2022-09-28 15:28 ` Florian Schmaus
2022-09-28 16:31 ` Ulrich Mueller
2022-09-30 0:36 ` William Hubbs
2022-09-30 14:53 ` Florian Schmaus
2022-09-30 15:48 ` William Hubbs
2022-09-30 19:18 ` Sam James
2022-10-11 10:06 ` [gentoo-dev] RFC: check A's size in go-module.eclass Florian Schmaus
2022-10-11 10:06 ` [gentoo-dev] [PATCH] go-module.eclass: ensure that A is less than 112 KiB Florian Schmaus
2022-10-11 15:26 ` Mike Gilbert
2022-10-11 15:58 ` Florian Schmaus
2022-10-11 15:33 ` [gentoo-dev] RFC: check A's size in go-module.eclass Mike Gilbert
2022-09-30 19:49 ` [gentoo-dev] Proposal to undeprecate EGO_SUM Alec Warner
2022-10-01 0:06 ` William Hubbs
2022-10-01 13:42 ` Florian Schmaus
2022-10-01 16:36 ` Ulrich Mueller
2022-10-01 17:21 ` Florian Schmaus
2022-10-01 20:59 ` William Hubbs
2022-09-30 20:07 ` Arsen Arsenović
2022-09-30 23:49 ` William Hubbs
2022-09-28 21:23 ` John Helmert III
2022-09-30 13:57 ` Florian Schmaus
2022-09-30 14:36 ` Jaco Kroon
2022-09-30 14:53 ` Florian Schmaus
2022-09-30 15:10 ` Jaco Kroon
2022-09-30 15:32 ` Zoltan Puskas
2022-09-30 19:02 ` Georgy Yakovlev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3404255.uGPaa05TMh@bstg \
--to=arsen@aarsen.me \
--cc=flow@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
--cc=williamh@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox