From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1BDF5158004 for ; Sat, 30 Mar 2024 15:59:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E1731E2A3C; Sat, 30 Mar 2024 15:59:49 +0000 (UTC) Received: from james.steelbluetech.co.uk (james.steelbluetech.co.uk [78.40.151.100]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8F62DE2A38 for ; Sat, 30 Mar 2024 15:59:49 +0000 (UTC) Received: from ukinbox.ecrypt.net (hq2.ehuk.net [10.0.10.2]) by james.steelbluetech.co.uk (Postfix) with ESMTP id A8BCEBFC18 for ; Sat, 30 Mar 2024 15:59:47 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.10.3 james.steelbluetech.co.uk A8BCEBFC18 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ehuk.net; s=default; t=1711814387; bh=fGWVHYMsRUo9c3+ftHf9k2L+aukZ1dVA7GGc/tYB3ac=; h=In-Reply-To:References:Date:Subject:From:To:Reply-To:From; b=rHFT8eR8J13ygiM+NRD876MfEvw61XiLIshfgjoJfQf4epH9HzZ2P/PJ8WOprOPyg GVEiTRccBRESQvPEG5W3n0kalFOjlkt+RRgElDBAhVFsZj3CMQUNMMldhmG6cLTQZ7 endmts7ibBVT1MeNWJ4UocnvowJyRmQI4ERFimgGZSkaKELWcjiDG+sbtOaimUMsSR aYiZOxghlYR57nrn6BoP2PatUNcbA6FUmGuZVEdGYhDGrzPMySxwAdUazXjU7JcM3n KGbmuYcJ+mnIZ/+1acDfocU1WIts0HvD0oIiXhT6dHjcJFKU1T/T1dn3ghwKaPOg++ QBWlPEImOlinQ== Message-ID: In-Reply-To: References: <20240329204315.3b29449b@Akita> <1671d927-55d5-6f01-2b54-b33981406945@gmail.com> Date: Sat, 30 Mar 2024 15:59:47 -0000 Subject: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo From: "Eddie Chapman" To: gentoo-dev@lists.gentoo.org User-Agent: SquirrelMail/1.5.2 [SVN] Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang X-Archives-Salt: c52fe7c1-8957-4a6a-9467-200476ef66ae X-Archives-Hash: 5e81373c7f0caa698cbd41fdab598f77 Michał Górny wrote: > On Sat, 2024-03-30 at 15:17 +0000, Eddie Chapman wrote: > >> Michał Górny wrote: >> >>> On Sat, 2024-03-30 at 14:57 +0000, Eddie Chapman wrote: >>> >>> >>>> Note, I'm not advocating ripping xz-utils out of tree, all I'm >>>> saying is wouldn't it be nice if there were at least 2 alternatives >>>> to choose from? That doesn't have to be disruptive in any way, >>>> people who wish to continue using and trusting xz-utils should be >>>> able to continue to do so without any friction whatsoever. >>> >>> So, you're basically saying we should go out of our way, recompress >>> all distfiles using two alternative compression formats, increase >>> mirror load four times and add a lot of complexity to ebuilds, right? >>> >>> -- >>> Best regards, >>> Michał Górny >>> >>> >> >> Yes that's a very good point, that was something I was wondering in >> weighing up both sides, what the costs would be practically, as I don't >> know the realities of running Gentoo infrastructure. And maybe the >> costs is just too high of a price to pay. >> >> I wonder if increased use of git repos rather than distributed tarballs >> could be part of a solution to those issues, although that could put >> quite a storage burden on every user. Unless they were all shallow git >> pulls and the user could optionally choose to tar up the git directory >> after clone with compression. But yes granted then there is even more >> ebuild complexity. >> > > Should we convert git repositories to Mercurial and Bazaar too, to avoid > relying too much on a single tool? > > -- > Best regards, > Michał Górny > I sense that question may have been slightly in jest :-) At least I hope so as it could also be interpreted as an attempt at ridicule. I'll take it as the former. In case you are seriously asking; of course not, that's totally unnecessary. The objective is simply to obtain the upstream source code intact. We don't need whatever version control of their source they are using, which of course is the whole point of fetching distributed tarballs. My suggestion of git pulls is just to address your point of resource usage on gentoo infra, it reduces the need to store binary dist files. I've also heard some argue that relying on distributed tarballs is part of the overall problem and what the bad actor was taking advantage of. They may have a point.