From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8FB0D138334 for ; Tue, 24 Sep 2019 17:49:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7A670E08A5; Tue, 24 Sep 2019 17:49:46 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2DB7CE088F for ; Tue, 24 Sep 2019 17:49:46 +0000 (UTC) Received: from [10.126.15.130] (unknown [100.42.98.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: zmedico) by smtp.gentoo.org (Postfix) with ESMTPSA id AF90334B16C; Tue, 24 Sep 2019 17:49:44 +0000 (UTC) Subject: Re: [gentoo-dev] [PATCH 2/2] go-module-vendor.eclass: new eclass for go modules that do not vendor To: gentoo-dev@lists.gentoo.org, mgorny@gentoo.org References: <20190923233649.13427-1-williamh@gentoo.org> <20190923233649.13427-3-williamh@gentoo.org> <20190924003000.GA25904@linux1.home> From: Zac Medico Openpgp: preference=signencrypt Autocrypt: addr=zmedico@gentoo.org; prefer-encrypt=mutual; keydata= mQINBFs7tmwBEADTzG+IcYtRfTfKryU7sUH7LlV1M+TdaCMfIkY4x6RyHXkaaqYuQ+U9HKn0 +m5FcZsZ1Ojik+We3Tz0F6kDbam6EWzBxmsLb/IHeUEsvsuLzuBQjiD9zzqGocZiPWr+uWJs AdbueS72R7FPXJPDUEPrJ9GdhGFyYARveY9cmdisOwcDOiSFfBjk3/89t4gROn4KUhezVuO9 VS14gVSns1561CJjlB47HkSBu4+FuzrfVygg4xitWAH119Ehw0vJcgkTw4Bqhk01Iw9us80m dFyU8JbJ0CVYe30gYKFFbnXoiT6xLLogKOkv0goPFxaXcMwWM9ei3SjAGVqgN6i8VnO7kquV LwkTe6ntEK0iY+l4qTKuyIOQLpCbWNI0eVwlx5b/pY2pt5TEGWAPMCZGjlidMx0aDcVX4oji 2/xegFAcxALrfOX3kj2FZ9kNAqLZu26AfqtslIqlBEAb5sZwPr351msBIdbaWX2UNw21I478 7eQ7UfohwXQHlXdhc/wop3VDkDzLBnvlK4ozSJI/9T5F/+9yEZvc6DKUWdEfD12o2El5hHan gCUQWDBKqZb1wcekK8KY2tmH8BBQi7k52IWYLJYfJdir/XpGm5SsDpf3zvDcIFXqFHAG7w7b fhriM+6oBOeIO9ew1Xj3swbRhDwdzRUhu7Uqayq1vdvKqGkgcQARAQABtCNaYWNoYXJ5IE1l ZGljbyA8em1lZGljb0BnZW50b28ub3JnPokCVAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAwIB AAIeAQIXgBYhBEdYrNjamv1GpqYECtYQzzch54rNBQJbZpeGBQkEzWcaAAoJENYQzzch54rN iTEQALgfn8NqcY1P3VgE8n/ypYfCa8YhOhZcSlVOnIil9u4F0OPUP9/TFALaW2RRctUm7URP Oe6gMd8mzFauU1q8FKHW8vo6i48Oqb3RmkH4PNbH0EHfM1e3pAq+E6Bi08y7HzYUm5PKr+m3 oLNFvqZuG3RKgmKQTm8E56IpI8rODnVmBkLQEGkdi9hDB1Zkm9dlT+eRGglHAhnpb+AweOzh dvqdfu0SKEoyLjCvRIFltrtNIuKWpjqOVAaMU0hLfDlRVJR0oTThe7P0vhulKZtWS/L7wXJr e7NGIunM09JIAjYAXX5hmY9L0oKnp0WK5PksBKIu8W8TUwzVmTXNAs7qfEQQJ3LvAQo3xifa l2n0ixdoozltU8afxJohz8OKrWOAzE8kqWa+H+t1XZtQAy7yZA3x51vyp4hquyAMYrZbU8hC 0x/l6KM/qGI7RPohw5VxgneQCAbpu/G+3DLVH5QjPR+tKPtpFkEpxrbTNUhaOUqFipX92382 w2CCxDrNrBYbnFYKmVthZqVxrUuDfi4VIgeBkGzDKPwqjSkbdZ0/I5GAmjZh0aJWrRnzCum/ hZHHHcU+wOdXBwwGBhRf9SIaxCfaxw0PB+CZXsswvuaANah2b32EFTPcFCCgFvoGMNSSHFuo JR3PAo6qvwGhYdmTI/Na57P1FF+g3VojnAnK2eIEuQINBFs7tmwBEACfZb/EePObKC8tuVFl IMQaTRzm7q5THbwQvbdKdw/31cdYJaZZ7BFgnSBq2CBYDPxcm+TxvvjgNTam8kZGdEpCm3/v P1YdJSoiYbisJubV7JiAOoAmGtaDOVX5thpv28HL17wqK2d5jgqMTLFeT3hyaro5cjGAQlhT NOyfwVkdFMFLjOhGzq7aki4UZ9ieS/IedoyZvOblf79d5PV1xI0mf2w5yoHcfZRv7nwI9XMz nqlgC9/RQP7O+WfCl2pl9gyd0hc3uqUWl0ke9xHvVxlEdORH/f+OzeybYj9r80GkC6MeqiG8 qzuWO0IZZ5Gvzwkq0KgRAefr9Z/4vmyOiVhJrvk1gLp6VEdB54fUO3MG/PcnYiasRJOUwRQQ 1+q25w5i9ooZRk0LQ6oNnWbeVj+Pwn0mzL0/GjkdPsYclxzOLSlRAwkisepVl62L2m+XwXsZ j9DS3vIHEbbfCmKayBuGCXQEpJMmEnGqFLnOzv29cOutm3BnGXcWAg5aJjiV5PKEmr/4g9/E J8lphGnNCRQ2DvUzO1tlHpmT+JvDBwAgo5rfq5wjjeiS578kAgPoitOBzp/z5YM5FXX+shEd i5/ratErb9ysUfr3Z45YV3yM6MHgCpEg8+5k6fM6ey4tRnxXAYdJ4XzaSyML9fsnEg9aVaCP iRl+fuLSuF1QJf7LwwARAQABiQI8BBgBCAAmAhsMFiEER1is2Nqa/UampgQK1hDPNyHnis0F Al0KotoFCQPRFW4ACgkQ1hDPNyHnis1CCg//ZOK07qtPUdRqMgD83BrXfzF+eLvzfkCuMqdO TWexli5pCwVrYLdystEbH60I1+ocBEbjMKqGoGt4HbEW3wq6zmHdKr5AIK4M3bGdlEI3cuPY QDdU8gFlwGpm79QnPAqXMiXeO2hlm2hYAhQ7Ir+q/lc3jxDQisuGtoIZZQ43MwPX95gy1kPz uGUmrT9Jl5m9ujHnLrQpCgUKLkRibGijx/A2p5MmtONMlKjtNXsSaRofabcfKD/RB0RCSft+ fYYgQ8PiYikpWi3+Z6PTH8Ivb7j7Hk0ZrB2toN51YE1wOKUN3i53K9fdTtI72lzvVrR15eRZ vahOB0tHAS8e2ZYQOXccqVcvc9YO8ZP5lfn/x2Vo+EgKK55FlIZrowI3deZYZDN6lz9rvhid 257TZrmUeJFdVA/MqK3ICBO0KkwAsMsl07ILOXq7rZBeDDNWTq/uIzl3fDRRhq+njdUejkqS F//EmOh8+iKhmdE0CJkzzYgHC4W+CDLo4gM3TznXi827zVAdsnk9ldmyBfHq/kkpfuGpx9L8 BeCLbkv/7I3sbT4POdsYeYC2ULhqCtGsY2Vtzf3ygb+BsUxAEG3IM62GcMydBzL12gkk73WQ XxuUVSEUB4CchrAprWtYYZ1OIKNnh7tT5IrBjhNujBjAyRYz+1CHTiM3MoXH68TkIaBB+065 Ag0EWzvRagEQANK1C/HvZgnFVa+3tFmS4OVnCRO611C7WXubm5Y2xj/Lh2LOWv5TeTtTp5FR S3961b429TbJNv0q9N4mDi6XOGpZvWLkfiDw/VT9I+48B2eVXKx5N2H48S7t1Knwut6vuTEx 14MGiZToCs2Tu1fEUnaBv2Hg60ysVfplDAQadixzboLHM1DxLYn1W/cAUrhXAW5uNQlyE0Ze kiB10JxbnAurdpRSu4X81IrGJDK/oNAgAcWRieVX5J1N5LStPrloFKf+Dtl2z49WibXVTjwF Ir/BZYprkTTgNzeM3VRPnyRz7IA1pMkVX0r4C0O38mqHyDCpkM/TKsOpNMDqYcllD8Fa/Zyg S08RLymWvRXWn7Sz7MlZE9CCQ2aG+N20esYH3nwrYsdUdj87/nSwqYKhTWwBBIWtrrCHw56O ZMTXznX3OkLOBB0gXH92G5dKv4azBeAZzR6c+qvP6PxgVuAlvlnFbzgW5m4CrkTsEwSh/s2Y d9sJPctzkPkif6tDWk0qKy9lRwTKyOK0xqwZGcJBLdqInU05DLJlrf2QJKBS2SE1tEparQvT 8/+EBpzGk0omSxGmDxLW6EY1CTXV+LfbRYz42Y71f7aVNNqfF/CbJYLupe9DadjvceRM/ZFG WO6SzWoO7ed5uT2i8M33tC2EnK/BL1oZ5Wr7Kv5XED10JI+5ABEBAAGJBNIEGAEIACYCGwIW IQRHWKzY2pr9RqamBArWEM83IeeKzQUCXQqi2wUJA9D6cAKgwdQgBBkBCAB9FiEE8OgXaltW zqgSupCu0HX7jBBKPSAFAls70WpfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEYwRTgxNzZBNUI1NkNFQTgxMkJBOTBBRUQwNzVGQjhD MTA0QTNEMjAACgkQ0HX7jBBKPSAkQw/+I/z0S3uMfcCL3DVtDX1PQKE4Pg7foiOKxJMZNiyh 4gBSCRr9cWa5BICB5OPlNzvf83LRXmOxyOa1UqFRsWQsZ60e4DSAcmnER6ePTN50AhDfpOhT SCJrtCyTtykkklGB7d91pSBvhpRxTl9ODaWQ92wypbYHX92OUrPpPZypfzKia8HKIF1FJZUm VGaCphBMnJBrrMsRFZyScIb1PagP3L1UmVVbeRwtPZCYHpr/er8zSAJQGXyoYdlgMa/7Sy7h J6mlDkEA6709c1XykZ2pMyyKtD4TbQrlCmvOY+DmRUbjHyobVSlGkL+En0TvnBrH2jhauocf g2aG+cv89+zaMrs8kuL/FGq87rnAYY77glbSRqKWGO8uhFgmLQHqKvkmG0rjiRy1yquftDKA 71kHmvb+LUvJmsD4tYotyl3vHGutq6cWJ2hzrczPlBp29YZw524zoM4pLhuwuCvnZX7jXdSR 228Gu7/iED2zULwOlzoNPSnTAVInsQEoTh2W71UKcn37tfodUyirtoyPtlaonVLUmn+bq4nD MEN7FxOiSPytM8HNsij7cR9oZYyTjtWhCBxx57kHWO/GYvGEhsR34tRz16SMNDQURM3t04G4 giDn5noh0DJywswd815JM/SMwcdkEpum1DCJpD+GJ4xtKto3p+OjO1riPDyZQGg4lOAJENYQ zzch54rNIqAP/2SA8lGZYHz5XzWrFkszK0T/xScQPbaPa23WQ6Xdw3JyVCcRfWqlZtEtP0K3 w2AA33jFJ1JRio7le+WSS+YMAlW6q6vlcKrQoe1eeQoN8NsILCyp5fXfKeASHzbWt1ClWZm4 Q+rU5L3cL+BTmg+C83ywnhrw/839zejduDDwLQiEm4x3xQ0tpy65TgYOl1AhVJBlmgDRavjE oVGiaQIpxrHANrAJMMS9RpXhHQk4g9JetZFjupvzKzvbNxfm1NmFNCH92IQCd1Az415Hg8yw iVVLlCb92u4AeO2WQMMmQLwk0UQfpM6f3NMCbhW/y5P7Ie2zxm96LktNRVY6IO7PbWRE8ih9 uTyzd4T7V+3sDEB4OfJ1btMcfFbeEx4aJ6xGM7AykEns3I8oj5jufBuupz6Z5cvR4OV+Qz1B DsOVrLRS4saTCEXdoi2D1LL8dwBHvLP5tuHP9bDYXvIM/8v7c4wOq8WZvBGbOz3oEYFwuUS/ Hs6hli8QgovhO8KS3zyBo7q0dNzwQZ/G8/vKrmZS02/Yvv8yaqhH75pOfuZe6QQSIzn6M7gy Dcw47b5d/SDAgXU/ztlXUys+4lLoz6gBCTheaQF3OEBF2LlyTWHVPeY7nKe/B1k6ZPnL2SgU 1si1MD81KA9EcfcjOZQHgkHkzNRKN28CgTxp1cc1hWvZaGCC Message-ID: <92369760-5ff6-b1e5-32ad-49c9e231481e@gentoo.org> Date: Tue, 24 Sep 2019 10:49:42 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <20190924003000.GA25904@linux1.home> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Jj7L44vG7QmGv1mx6zkBT0T3YUAp8I5dB" X-Archives-Salt: 4783b886-3a44-499b-b469-af9443c1cf31 X-Archives-Hash: 7d407c0feba91d0ea7dec3b2ed0dc2dc This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Jj7L44vG7QmGv1mx6zkBT0T3YUAp8I5dB Content-Type: multipart/mixed; boundary="P7jdXKhTUUgmeNZtsMJLyGVJzSaTSXo7U"; protected-headers="v1" From: Zac Medico To: gentoo-dev@lists.gentoo.org, mgorny@gentoo.org Message-ID: <92369760-5ff6-b1e5-32ad-49c9e231481e@gentoo.org> Subject: Re: [gentoo-dev] [PATCH 2/2] go-module-vendor.eclass: new eclass for go modules that do not vendor References: <20190923233649.13427-1-williamh@gentoo.org> <20190923233649.13427-3-williamh@gentoo.org> <20190924003000.GA25904@linux1.home> In-Reply-To: <20190924003000.GA25904@linux1.home> --P7jdXKhTUUgmeNZtsMJLyGVJzSaTSXo7U Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 9/23/19 5:30 PM, William Hubbs wrote: >> +# @FUNCTION: go-module-vendor_src_unpack >> +# @DESCRIPTION: >> +# Extract all archives in ${a} which are not nentioned in ${EGO_VENDO= R} >> +# to their usual locations then extract all archives mentioned in >> +# ${EGO_VENDOR} to ${S}/vendor. >> +go-module-vendor_src_unpack() { >> + local f hash import line repo tarball vendor_uri >> + if [[ -z "${EGO_VENDOR}" ]]; then >> + die "EGO_VENDOR is not defined" >> + fi >> + >> + vendor_uri=3D"$(go-module-vendor_get_vendor_uri)" >> + for f in $A; do >> + [[ $vendor_uri =3D=3D *"$f"* ]] && continue >> + unpack $f >> + done >> + >> + if [[ -d "${S}/vendor" ]]; then >> + eerror "Upstream for ${P}.ebuild vendors dependencies." >> + die "This ebuild should inherit go-module.eclass" >> + fi >=20 > All, >=20 > I want to talk about the if block just above where I am writing. >=20 > If the vendor directory exists after the sources are unpacked, the idea= > is that upstream is vendoring their dependencies and we probably don't > want to mess with the contents of the vendor directory in that case. >=20 > Mgorny, you suggested that there might be a valid use case for being > able to insert our own dependencies even when upstream bundles them for= > security. Something like that is an easy enough change (deleting the if= > block), but I want to know more about whether this is a strong case for= > it. My thought is that if the issue is reported to upstream, they shoul= d > do a new release after updating their vendored dependencies, so this is= > more an upstream thing. >=20 > Thoughts? Is there a strong enough use case for messing with the bundle= d > dependencies ourself? If you feel like it would add unnecessary complexity, then it's probably fine to leave that case unsupported. The worst case is that ebuild maintainers will have to copy and modify the eclass function. --=20 Thanks, Zac --P7jdXKhTUUgmeNZtsMJLyGVJzSaTSXo7U-- --Jj7L44vG7QmGv1mx6zkBT0T3YUAp8I5dB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQKTBAEBCgB9FiEE8OgXaltWzqgSupCu0HX7jBBKPSAFAl2KVzZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYw RTgxNzZBNUI1NkNFQTgxMkJBOTBBRUQwNzVGQjhDMTA0QTNEMjAACgkQ0HX7jBBK PSBiORAAtdOv0pliludYlrGq3levGbMDcT1O6ysQG5Kk7VySli/+TKdZVsu8yZIe 3YVFGJfyda9vCNRttyl7OZFXNXO1RJIeAbaI0ypqf867lDEWw7OyOCdSTLecRAEv /GaRzPSODVzXk6gydzPCMUf9BOn8VSoP6STo0g+Ol3Y8HcEMAPHm0JVtiEmM0loX oKcvCUb3WTq04B6QXmKaXkyytqZlz/OIGkIkVksas82yj6Lpf4lKKbTa+lmwDuC/ 4wn4JenQFSam15p6hU0Wcjg6aNOUb7/Xl8ZWSDex86KKORVKi6XDlzeJq7nFpInt S+KrTCJAwKD/L8qQA8vBfEEtb42IhrUDS77DxYvO4o8OqWlSK+nNB4OA3TTGZLHr mmkeU7sD4nOae7xVEWb8cLLt5t6a5yGJdjFBrqGX+QXpIb9uqHrlH7029kFkxnGF HhXGqpYBfFecZP5jBQ17ePzL+0Y5Qbj8JtAltMVfBob/ymjOY7xojUEAe7ictTXX gm56NEwGM8wKxI4GvLWAKRxOHiYL+xv8MpJMC9ujMzJr+cRq1jJ0nd8QhVezUf1N bXr6G8tF3krXG9BowPc9bR5uGs2vcqWVIPFWvE1qKnKisMDWI24sL6CZQrgLIiij B/0hCC+kaXtzZ3PM9a75zNZO+8wlY5xIy/ufq32EvLuCz4K4MVA= =sbJ5 -----END PGP SIGNATURE----- --Jj7L44vG7QmGv1mx6zkBT0T3YUAp8I5dB--