All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: Konrad Weihmann <kweihmann@outlook.com>,
	Richard Purdie <richard.purdie@linuxfoundation.org>,
	Khem Raj <raj.khem@gmail.com>,
	Patches and discussions about the oe-core layer
	<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] base/patch: Disable network for unpack/patch/configure/compile/install
Date: Mon, 27 Dec 2021 14:38:02 +0100	[thread overview]
Message-ID: <5f6b7b04-7570-5662-e00d-6a8212b1bcee@herbrechtsmeier.net> (raw)
In-Reply-To: <CANNYZj-XR2XzOwnfPTN74mG1QiWcbE96+-iAb-VL7fYta9YA_w@mail.gmail.com>

Hi Alex,

Am 25.12.21 um 20:41 schrieb Alexander Kanavin:
> On Sat, 25 Dec 2021 at 20:32, Stefan Herbrechtsmeier 
> <stefan@herbrechtsmeier.net <mailto:stefan@herbrechtsmeier.net>> wrote:
> 
>      > I'm not sure how to deal with that, so there aren't that many
>     options here.
> 
>     This is a common problem for all language specific package managers
>     (python / pip, Node.js / npm, Rust / Carge, go) and we need a common
>     solution.
> 
> 
> I tend to think that the best (and the hardest) option is to improve 
> these tools so that they're usable inside do_fetch (e.g. fulfil the 
> caching/reproducibility criteria for a bitbake fetcher), and the needed 
> changes are acceptable to upstreams.

Is the fetcher really the problem? In all cases the input and output of 
the package manager fetch task is well defined. In the npm case the 
bitbake npmsw fetcher and my recipetool approach translate this 
configuration into bitbake fetch and unpack commands.

The real problem is the different philosophy between OE and the package 
manager. The package manager doesn't care about duplicate versions, 
maintenance versions, version updates of indirect dependencies, license 
compliance, CVE checks or dead code (examples, documentations, test, 
...) and if they care every package manager have its own solution.

Why C/C++ and Python doesn't fetch all its dependencies inside a single 
recipe and why do we try to replace embedded dependencies? I think we 
have good reasons for it and we shouldn't discard it for other languages.

Independent of the language an update of a dependency need a test inside 
a user and with Node-RED as an example I show that this is possible for 
npm modules.

Regards
   Stefan


  parent reply	other threads:[~2021-12-27 13:38 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-22 23:20 [PATCH] base/patch: Disable network for unpack/patch/configure/compile/install Richard Purdie
2021-12-23  5:28 ` [OE-core] " Alexander Kanavin
2021-12-23 13:12   ` Richard Purdie
2021-12-23 10:49 ` Peter Kjellerstedt
2021-12-23 11:31   ` Konrad Weihmann
2021-12-23 13:11     ` Richard Purdie
2021-12-23 13:19       ` Konrad Weihmann
2021-12-23 14:52         ` Andreas Müller
2021-12-23 15:01           ` Konrad Weihmann
2021-12-23 15:54       ` Alexander Kanavin
2021-12-23 15:11   ` Jose Quaresma
2021-12-24  6:00 ` Khem Raj
2021-12-24  8:30   ` Richard Purdie
2021-12-24 10:36     ` Konrad Weihmann
2021-12-25 19:32       ` Stefan Herbrechtsmeier
2021-12-25 19:41         ` Alexander Kanavin
2021-12-25 20:43           ` Konrad Weihmann
2021-12-27 12:54             ` Stefan Herbrechtsmeier
2021-12-27 13:22               ` Konrad Weihmann
     [not found]           ` <16C41A407A5C2599.27787@lists.openembedded.org>
2021-12-25 21:09             ` Konrad Weihmann
2021-12-27 13:38           ` Stefan Herbrechtsmeier [this message]
2021-12-27 14:05             ` Alexander Kanavin
2021-12-27 14:54             ` Eero Aaltonen
2021-12-27 15:47               ` Stefan Herbrechtsmeier
2021-12-25 20:58         ` Konrad Weihmann
2021-12-27 13:13           ` Stefan Herbrechtsmeier
2021-12-25 19:41       ` Khem Raj
2021-12-25 19:25     ` Stefan Herbrechtsmeier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5f6b7b04-7570-5662-e00d-6a8212b1bcee@herbrechtsmeier.net \
    --to=stefan@herbrechtsmeier.net \
    --cc=alex.kanavin@gmail.com \
    --cc=kweihmann@outlook.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=raj.khem@gmail.com \
    --cc=richard.purdie@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.