From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4C204158091 for ; Fri, 3 Jun 2022 11:18:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F1F14E0959; Fri, 3 Jun 2022 11:18:15 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9ABE1E0954 for ; Fri, 3 Jun 2022 11:18:15 +0000 (UTC) Message-ID: <9d4adb56-34be-7058-3979-2c99178251dd@gentoo.org> Date: Fri, 3 Jun 2022 13:18:08 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Content-Language: en-US To: gentoo-dev@lists.gentoo.org From: Florian Schmaus Subject: [gentoo-dev] About EGO_SUM Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: fbd6e9ef-74ca-4f75-931f-3164968a4d2a X-Archives-Hash: 1a64a8e7694c3ee11cd48a58a95f2faa EGO_SUM is marked as 'deprecated' in go-module.eclass [1, 2]. I acknowledge that there are packages where the usage of EGO_SUM is very problematic. However, I wonder if there are packages where using dependency tarballs is problematic while using EGO_SUM would be not. Take for example an ebuild containing SRC_URI=" https://salsa.debian.org/baz/${PN}/-/archive/v${PV}/${PN}-v${PV}.tar.bz2 -> ${P}.tar.bz2 https://personal.site/files/gentoo/${P}-vendor.tar.xz " where ${P}-vendor.tar.xz is a Go dependency tarball, containing only a few Go modules. Hence EGO_SUM would contain only a few entries in this case. I see multiple issues of using dependency tarballs in such cases. First, my trust in a tarball created by someone and hosted somewhere is lower than the contents of the artifacts hosted on an official hub. Next, if anyone takes the time to review the contents of the dependency tarball, it may only benefit Gentoo. On the other hand, if someone reviews EGO_SUM artifacts, the whole Go ecosystem will benefit. I may not know Gentoo's mirror system in detail, but I believe using EGO_SUM facilitates cross-package distfile sharing. While dependency tarballs will increase the space requirements, and, probably more importantly, the load on the mirrors. Even more problematic are that dependency tarballs require additional steps that would not be required when EGO_SUM is used. While those steps appear simple, behavioral theory shows that even the tiniest additional steps have a huge impact (e.g., online shops loose a relative large share of customers if for each an additional checkout step). If we force dependency tarballs for Go software, then packaging Go software just become a little bit harder. This leads me to the question why are we actually deprecating EGO_SUM? It seems like a nice alternative for Go packaging that we may want to keep. But maybe I am missing something? - Flow 1: https://github.com/gentoo/gentoo/blob/9fec686abf789fdff36a90c3763d9558203cbf9a/eclass/go-module.eclass#L108 2: https://github.com/gentoo/gentoo/blob/9fec686abf789fdff36a90c3763d9558203cbf9a/eclass/go-module.eclass#L349-L352